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ABSTRACT 


Government  ageneies,  businesses,  and  individuals  alike  have  become  more  dependent  on 
technology,  and  the  desire  and  need  for  interconnectedness  has  led  to  increasing  network 
vulnerability  affecting  both  government  and  private  sectors.  Recognizing  both 
government  and  private  sector  agencies  individually  lack  the  capabilities  to  defend 
against  cyber  threats.  President  Obama  has  called  for  a  more  robust  and  resilient 
cybersecurity  alliance  that  encourages  information-sharing  partnerships  with  private 
sector  owners  and  operators  in  charge  of  protecting  U.S.  critical  infrastructure.  Despite 
the  recent  drive  for  cyber  legislation  and  policies,  government  agencies  and  private 
companies  have  seemed  reluctant  to  share  information  related  to  cyber-attacks  and  threats 
with  one  another. 

To  discover  the  deeper  underlying  issues  that  inhibit  public -private  cooperation, 
and  to  evaluate  the  effectiveness  of  public -private  partnerships  (PPPs)  to  advance  cyber 
information  sharing,  this  thesis  examines  the  banking  and  finance  sector  of  U.S.  critical 
infrastructure  sector.  In  doing  so,  it  identifies  reasons  why  information-sharing  problems 
exist  between  government  agencies  and  private  companies;  investigates  how  PPPs  satisfy 
national  cybersecurity  needs;  and,  in  turn,  reveals  issues  for  policymakers  to  consider 
when  shaping  policies  that  encourage  an  open  dialog  between  the  public  and  private 
sector. 


V 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


VI 


TABLE  OF  CONTENTS 


L  INTRODUCTION . 1 

A,  MAJOR  RESEARCH  QUESTION . 1 

B,  IMPORTANCE  OF  RESEARCH . 2 

C,  LITERATURE  REVIEW . 3 

D,  POTENTIAL  EXPLANATIONS  AND  HYPOTHESES . 15 

E,  METHODOLOGY . 15 

F,  OVERVIEW . 16 

II.  BACKGROUND . 19 

A,  RISE  OF  CYBER-RELATED  THREATS . 19 

B,  POLICY  AND  LEGISLATION . 21 

1.  CISPA  and  CISA . 22 

2.  NCCIP . 23 

3.  EO  13636 . 24 

4.  PPD-21 . 24 

5.  NIPP . 25 

C.  NIST  RESPONSE  TO  EO  REQUIREMENT  7 . 26 

D.  DHS  RESPONSE  TO  EO  REQUIREMENT  8 . 26 

III.  PUBLIC-PRIVATE  PARTNERSHIPS  IN  CYBERSECURITY . 29 

A.  INTRODUCTION . 29 

B.  FACTORS  PROMOTING  PPPS . 30 

C.  CHALLENGES  AND  LIMITATIONS . 33 

D.  CYBERSECURITY  PPPS  IN  ACTION . 37 

E.  SUMMARY . 41 

IV.  CASE  STUDY:  INFORMATION  SHARING  WITHIN  THE  BANKING 

AND  FINANCE  SECTOR . 43 

A.  INTRODUCTION . 43 

B.  BACKGROUND . 43 

1.  China . 45 

2.  Iran . 46 

3.  Identity  Theft . 46 

4.  2014  Surge  in  Cyher  Criminal  Activity . 48 

C.  FS-ISAC . 49 

D.  FINDINGS  AND  ANALYSIS . 51 

E.  SUMMARY . 58 

V.  CONCLUSION . 61 

A.  SYNOPSIS . 61 

B.  HYPOTHESIS  TEST . 62 

1.  Hypothesis  One: . 62 

a.  Timely  Exchange  of  Threat  Information . 63 

2.  Hypothesis  Two . 63 

vii 


a.  Security  Cost  Increase . 64 

b.  Risk  to  Market  Share . 64 

c.  Lack  of  Incentives . 65 

3,  Hypothesis  Three . 66 

a.  Small-  to  Medium-Sized  Companies  Lack  Resources . 66 

4.  Additional  Explanations . 67 

C.  CONSIDERATIONS  FOR  FURTHER  RESEARCH . 67 

LIST  OF  REFERENCES . 69 

INITIAL  DISTRIBUTION  LIST . 79 


viii 


LIST  OF  FIGURES 


Figure  1 .  Significant  Cyber  Incidents  from  2006-20 13 . 20 

Figure  2.  Financial  Institution  Participation  in  Information-sharing . 55 


IX 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


X 


LIST  OF  TABLES 


Table  1 .  Major  Data  Breaches  of  2014 


49 


XI 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


LIST  OF  ACRONYMS  AND  ABBREVIATIONS 


ACLU 

American  Civil  Eiberties  Union 

ATM 

Automatic  Teller  Machine 

cVp 

Cyber  Community  Volunteer  Program 

CEO 

Chief  Executive  Officer 

CAPP 

Cyber  Attack  Against  Payment  Processes 

Cl 

Critical  Infrastructure 

CIA 

Central  Intelligence  Agency 

CIKR 

Critical  Infrastructure  Key  Resources 

CIP 

Critical  Infrastructure  Protection 

CIPAC 

Critical  Infrastructure  Partnership  Advisory  Council 

CISA 

Cyber  Intelligence  Sharing  Act 

CISPA 

Cyber  Intelligence  Sharing  and  Protection  Act 

CSRIC 

Communications,  Security,  Reliability  and  Interoperability  Council 

CSIS 

Center  for  Strategic  and  International  Studies 

CSPR 

Cyberspace  Policy  Review 

CSS 

Center  for  Security  Studies 

DDoS 

Distributed  Denial  of  Service 

DHS 

Department  of  Homeland  Security 

DOD 

Department  of  Defense 

DOE 

Department  of  Energy 

EO 

Executive  Order 

EBI 

Eederal  Bureau  of  Investigation 

ECC 

Eederal  Communications  Commission 

EOIA 

Ereedom  of  Information  Act 

ES-ISAC 

Einancial  Services — Information  Sharing  Analysis  Center 

ESSCC 

Einancial  Services  Sector  Coordinating  Council 
xiii 

FTC 

FY 

GAO 

HSPD 

ICE 

ISAC 

IT 

IT-ISAC 

NCCIP 

NCFTA 

NCPPP 

NCSD 

NIPP 

NIST 

NSA 

NSTAC 

NTIA 

NYDFS 

OCIA 
OCIP 
ODNI 
Opens SL 

PCCIP 

PPP 

PDD 

PPD 


Federal  Trade  Commission 
Fiseal  Year 

Government  Aeeountability  Offiee 

Homeland  Seeurity  Presidential  Directive 

U.S.  Immigration  and  Customs  Enforcement 
Information  Sharing  Analysis  Center 
Information  Technology 

Information  Technology — Information  Sharing  Analysis  Center 

National  Cybersecurity  and  Critical  Infrastructure  Protection  Act 

National  Cyber  Eorensics  and  Training  Alliance 

National  Council  for  Public-Private  Partnerships 

National  Cyber  Security  Division 

National  Infrastmcture  Protection  Plan 

National  Institute  of  Standards  and  Technology 

National  Security  Agency 

National  Security  Telecommunications  Advisory  Committee 
National  Telecommunications  and  Information  Administration 
New  York  Department  of  Einancial  Services 

Office  of  Cyber  and  Infrastructure  Analysis 

Office  of  Critical  Infrastructure  Protection  and  Compliance  Policy 

Office  of  the  Director  of  National  Intelligence 

Open-source  Secure  Socket  Eayer 

President’s  Commission  on  Critical  Infrastructure  Protection 
Public-Private  Partnership 
Presidential  Decision  Directive 
Presidential  Policy  Directive 


XIV 


SCA 

Stored  Communications  Act 

SEC 

Securities  Exchange  Commission 

SETT 

State,  local,  tribal,  and  territorial 

SME 

Subject  Matter  Expert 

SSA 

Sector  Specific  Agencies 

STIX 

Structured  Threat  Information  expression 

TAXII 

Trusted  Automated  eXchange  of  Indicator  Information 

USCYBERCOM 

U.S.  Cyber  Command 

Y2K 

Year  2000 

XV 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


XVI 


ACKNOWLEDGMENTS 


First,  and  foremost,  I  give  thanks  to  God  for  the  completion  of  this  project  and  all 
of  my  accomplishments  over  the  past  year-and-a-half.  All  of  my  strength  and 
perseverance  comes  from  Him.  To  my  wife,  Kimberly,  thank  you  for  your  continued 
love,  support,  and  sacrifice.  No  matter  where  the  Navy  has  sent  me,  you  have  always 
been  there,  behind  the  scenes,  making  things  work.  None  of  my  achievements  over  the 
past  11  years  would  have  been  possible  without  you.  I  love  you.  To  my  children,  thank 
you  once  again,  for  sacrificing  precious  time  together  while  I  completed  yet  another 
milestone  in  my  career.  While  I  continue  to  ask  more  than  I  should  from  you,  my  hope  is 
that  you  continue  to  observe  how  dedication  and  determination  can  pay  off.  Daddy  loves 
you  more! 

I  would  also  like  to  thank  our  church  family  and  friends  at  Shoreline  Community 
Church  in  Monterey.  Their  fellowship  and  encouragement  was  essential  to  the  spiritual 
growth  of  our  family  while  being  stationed  at  the  Naval  Postgraduate  School.  Last,  but 
certainly  not  least,  I  would  like  to  acknowledge  my  primary  advisor.  Dr.  Erik  Dahl,  and 
my  second  reader.  Dr.  Wade  Huntley,  for  their  incredible  support  and  guidance  not  only 
throughout  the  thesis  process,  but  also  during  my  time  at  the  Naval  Postgraduate  School. 
Thank  you  both  for  your  dedication  and  direction. 


xvii 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


I.  INTRODUCTION 


A,  MAJOR  RESEARCH  QUESTION 

Cyber  threats  make  the  headlines  daily,  from  attacks  on  critical  infrastructure  to 
personal  identity  theft.  Government  agencies,  businesses,  and  individuals  alike  have 
become  more  dependent  on  technology,  and  the  desire  and  need  for  interconnectedness 
has  led  to  increasing  network  vulnerability  affecting  both  government  and  private  sectors. 
Policymakers  and  cyber  experts  continue  to  push  for  legislation  that  encourages  private 
companies  to  participate  voluntarily  in  information  sharing  programs  to  better  guard 
against  cybercrime  and  espionage.  Recognizing  both  government  and  private  sectors 
alone  lack  the  capabilities  to  defend  against  cyber  threats,  ^  President  Obama,  under 
Executive  Order  13636  and  Presidential  Policy  Directive  (PPD)  21,  directed  several 
government  agencies,  with  the  Department  of  Homeland  Security  (DHS)  taking  the  lead, 
to  establish  a  more  robust  and  resilient  cybersecurity  alliance  that  encourages 
information-sharing  partnerships  with  private  sector  owners  and  operators  in  charge  of 
protecting  U.S.  critical  infrastructure  (Cl). 

Despite  the  recent  drive  for  cyber  legislation  and  policies,  government  agencies 
and  private  companies  have  seemed  reluctant  to  disclose  information  related  to  cyber¬ 
attacks  and  threats  with  one  another.  This  thesis  asks  why  do  cybersecurity  information¬ 
sharing  problems  exist  between  the  government  and  the  private  sector?  In  doing  so,  it 
also  investigates  how  public-private  partnerships  (PPPs)  respond  to  these  problems  to 
satisfy  national  cybersecurity  needs;  and  reveals  these  underlying  issues  for  policymakers 
to  consider  when  shaping  policies  that  encourage  an  open  dialog  between  the  public  and 
private  sector. 


1  “Fact  Sheet:  Executive  Order  13636  and  Presidential  Policy  Directive  (PPD)-21,”  Department  of 
Flomeland  Security,  March  2013,  http://www.dhs.gov/pubhcation/fact-sheet-eo-13636-improving-critical- 
infrastructure-cybersecurity-and-ppd-2 1  -critical. 
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B,  IMPORTANCE  OF  RESEARCH 

Efforts  to  foster  and  increase  information  sharing  have  recently  emerged  from 
both  the  government  and  private  sectors.  Two  examples  that  emanated  from  EO  13636 
are  the  National  Institute  of  Standards  and  Technology’s  (NIST)  Eramework  version  I.O 
(shaped  by  both  private  industry  and  government), 2  and  the  Department  of  Homeland 
Security’s  (DHS)  Critical  Infrastructure  Cyber  Community  Volunteer  Program  (C^VP).^ 
The  Eramework  promises  to  improve  resiliency  and  encourage  discussion  of  best 
practices  for  managing  cybersecurity  risk;  CV  P  encourages  private  businesses  to  adopt 

the  Cybersecurity  Eramework.  However,  both  programs - still  in  their  infancy - are 

voluntary;  there  is  much  debate  over  whether  such  programs  will  be  effective;  for 
example,  some  have  critiqued  how  the  language  in  the  EO  only  specifies  the  directional 
flow  of  information  from  the  private  sector  to  government  agencies.^ 

Cybersecurity  experts,  lobbyists,  and  sector-specific  agencies  (SSAs)  of  critical 
infrastructure  argue  the  need  for  better  legislation  and  guidance  that  not  only  facilitates 
collaboration  from  both  private  and  government  agencies,  but  also  provides  liability 
protection  against  litigation  for  disclosure  while  sharing  information  and  responding  to 
cyber-threats. 5  Eor  example,  the  Department  of  Treasury  (SSA  in  charge  of  protecting  the 
financial  services  sector)  recognized  the  need  for  more  public-private  collaboration  in 
improving  cybersecurity  to  the  U.S.  financial  sector — listed  as  one  of  four  strategic 


2  “Framework  for  Improving  Critical  Infrastructure  Cybersecurity:  Version  1.0,”  National  Institute 
Standards  and  Technology,  February  12,  2014,  http://www  nist.gov/cyberframework/upload/  cybersecurity- 
framework-02  1 2 1 4  .pdf 

2  “Critical  Infrastructure  Cyber  Community  Voluntary  Program,”  United  States  Computer  Emergency 
Readiness  Team,  Department  of  Homeland  Security,  accessed  May  27,  2014,  http://www.us-cert.gov/ 
ccubedvp. 

Veronica  A.  Chinn,  Furches,  Lee  T.,  and  Woodward,  Barian  A.,  “Information-  Sharing  with  the 
Private  Sector,”  National  Defense  University  Press,  April  1,  2014,  http://ndupress  ndu.edu/Media/News/ 
NewsArticleView/tabid/7849/Article/8464/jfq-73-information-sharing-with-the-private-sector.aspx. 

2  Ryan  Tracy,  “Cybersecurity  Legislation  Gets  Push  From  Financial  Firms,”  The  Wall  Street  Journal, 
Law  Blog,  November  13,  2013,  http:/^logs. wsj. com/law/2013/1 1/13/cybersecurity-legislation-gets-push- 
from-  financial-  firms/. 
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objectives  in  safeguarding  the  financial  system  against  cybersecurity  threats  in  the 
department’s  Strategic  Plan  FY  2014-2017.^ 

Current  literature  on  cyber  information  sharing  focuses  on  endorsing 
cybersecurity  legislation,  policies,  and  laws  that  encourage  or  even  mandate  government- 
private  sector  partnerships.  Some  argue  that  government  declassification  and  disclosure 
of  known  cyber  threats  to  private  companies  is  the  answer,^  while  others  argue  that  the 
answer  rests  in  the  private  sector  sharing  timely  cyber  threat  information  with 
government  agencies.^  Despite  these  conventional  arguments,  the  bulk  of  current 
literature  lacks  discussion  of  other  possibilities.  A  more  focused  approach  that  examines 
similar  public-private  relationships  within  individual  Cl  sectors  could  reveal  further 
motivations  or  explanations  that  could  add  value  to  the  existing  body  of  knowledge  on 
cybersecurity  issues  between  the  government  and  private  sector.  This  thesis  attempts  to 
discover  the  deeper  underlying  issues  that  inhibit  public-private  cooperation. 

C.  LITERATURE  REVIEW 

The  concept  of  public-private  partnerships  (PPP)  dates  back  to  the  Colonial 
period  in  North  America  when  John  Winthrop,  Jr.  established  a  series  of  pharmaceutical 
laboratories,  which  led  to  the  idea  that  government  agencies  could  utilize  private 
businesses  to  not  only  advance  the  progress  of  science,  but  also  benefit  society.^  PPPs — 
situations  in  which  government  agencies  interact  with  private  companies — are  unique  to 
other  government-private  associations  in  that  they  both  share  in  the  resources,  risks,  and 


^  Department  of  Treasury,  Department  of  the  Treasury  FY  2014-201 7  Strategic  Plan,  32, 
http://www.treasury.gov/about/budget-performance/strategic-plan/Documents/2014-2017US_ 

T  reasuryStrategicPlan.pdf 

^  Kelly  Riddell,  “Ex-FBI  Official:  Intel  Agencies  Don’t  Share  Cyber  threats  that  Endanger 
Companies,”  The  Washington  Times,  May  11,  2014,  http://www.washingtontimes.com/news/2014/ 
may/1  l/intel-agencies-dont-share-cyber-threats-that-could/?page=all. 

^  James  B.  Comey,  “The  FBI  and  the  Private  Sector:  Closing  the  Gap  in  Cyber  Security,”  Speech, 
February  26,  2014,  http://www.fbi.gov/news/speeches/the-fbi-and-the-private-sector-closing-the-gap-in- 
cyber-security. 

9  Thomas  Cellucci,  “Innovative  Public -Private  Partnerships:  Pathway  to  Effectively  Solving 
Problems,”  Department  of  Homeland  Security,  July  2010,  4,  http://www.dhs.gov/xlibrary/assets/st_ 
innovative_public_private_partnerships_07 1 0_version_2  .pdf 
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costs  of  delivering  a  service  to  the  publied*’  A  more  complete  definition  of  PPPs  is 
provided  in  Chapter  III;  Public-Private  Partnerships  in  Cybersecurity.  Today,  many, 
particularly  in  the  Executive  Branch,  still  believe  in  that  same  concept  and  submit  that 
fostering  an  information  sharing  alliance  between  government  agencies  and  private 
businesses  that  share  in  both  eosts  and  benefits  is  the  best  course  of  action  to  defend 
against  cyber-related  attacks. 

To  understand  the  significance  of  the  laek  of  eybersecurity  information  sharing 
between  public  and  private  entities,  it  is  neeessary  to  find  a  place  in  time  when 
cyberseeurity  beeame  a  major  issue.  The  prevailing  literature  on  eybersecurity  tends  to 
emerge  around  2006  as  the  landmark  year  when  we  begin  to  see  a  signifieant  rise  in  cyber 
incidents.il  This  steep  upsurge  in  eyber-related  attaeks  and  threats  highlighted  the  need 
for  immediate  eybersecurity  reform.  Reeognizing  that  the  private  sector  controls  the 
majority  of  our  nation’s  eritical  infrastructure,  the  president  released  Executive  Order 
13636  in  an  effort  to  streamline  cyberseeurity  regulations  across  both  public  and  private 
agencies  to  foster  a  more  resilient  cyber  defense. i^ 

Over  the  past  several  years  (before  and  after  the  release  of  EO  13636), 
government  officials  and  private  sector  leaders  alike  have  pressed  for  more  public-private 
eollaboration  to  increase  cyberseeurity  across  all  sixteen  sectors  of  Cl.  Despite  this 
widespread  urgeney,  polieymakers  have  found  difficulty  in  drafting  legislation  that  not 
only  protects  our  national  infrastructure,  but  also  balanees  security  and  privacy. i^  The 
concept  of  cooperation  between  government  ageneies  and  the  private  sector  continues  to 
be  a  controversial  issue. 


m  Cellucci,  “Innovative  Public-Private  Partnerships,”  4. 

“Significant  Cyber  Events,”  Center  for  Strategic  and  International  Studies,  last  modified  March  10, 
2014,  http://csis.org/files/publication/140310_Significant_Cyber_Incidents_Since_2006.pdf 

12  Executive  Order  no.  13636,  Improving  Critical  Infrastructure  Cyberseeurity,  DCPD-2013000  91, 
February  19,  2013,  http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf 

13  Chertoff  group  has  noted  in  a  recent  Cyberseeurity  Presentation,  “Over  50  different  pieces  of 
Legislation  introduced  in  the  past  two  years.”  Ben  Beeson,  Gerald  Ferguson,  and  Mark  Weatherford, 
“Implementation  of  the  Cyberseeurity  Executive  Order,”  slide  6,  November  13,  2013, 

http :// chertoffgroup .  com/events .  php . 
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In  2010,  the  U.S.  Government  Aeeountability  Offiee  (GAO)  released  a  report 
upon  Congressional  request  to  determine  eyber-related  PPP  expeetations  from  the 
stakeholder’s  perspeetive — and  to  evaluate  the  degree  those  expeetations  were  being 
satisfied.  Utilizing  both  publie  and  private  employees,  the  GAO  distributed  surveys, 
eondueted  interviews,  and  analyzed  relevant  polieies  aeross  five  Cl  seetors  that  rely 
heavily  on  eyber  assets  to  support  operations:  Communieations,  Defense  Industry  Base, 
Energy,  Banking  and  Finanee,  and  Information  Teehnology.i^  In  2012,  the  White  House 
released  Presidential  Poliey  Direetive  (PPD-21),  whieh  identified  and  established  16 
separate  eritieal  infrastrueture  seetors. Further  diseussion  of  PPD-21  is  provided  in 
Chapter  II. 

The  GAO  found  that  private  seetor  expeetations,  sueh  as  timely  sharing  of  eyber- 
related  threats  from  the  federal  government  and  granting  of  seeurity  elearanees,  fell  short. 
Fess  than  one-third  of  those  surveyed  reported  reeeiving  usable  threat  information,  The 
report  also  found  that  government  expeetations,  sueh  as  implementing  government 
reeommendations  and  sensitive  information  sharing,  were  also  unsatisfaetory.  For 
example,  some  private  stakeholders  refused  to  share  sensitive  information  due  to 
government  distrust,  Although  the  GAO  identifies  several  inadequaeies  of 
eyberseeurity  PPPs,  the  report  makes  only  two  reeommendations:  Utilize  results  to 
improve  on  expeetations  and  augment  a  eentral  point  for  better  information  integration, 
These  reeommendations  laek  any  real  plan  of  aetion  or  guidanee  for  polieymakers. 
Another  issue  is  the  seope  of  the  GAO’s  researeh,  whieh  eompared  the  effeetiveness  of 
eyberseeurity  of  five  eomplex  Cl  seetors.  While  the  report’s  initial  findings  seem 
benefieial  to  improving  PPP’s  within  those  seetors,  sueh  findings  eannot  be  assumed 
aeross  all  seetors  of  Cl.  A  more  foeused  approaeh  that  eompares  only  two  or  three  similar 

David  A.  Powner,  Critical  Infrastructure  Protection:  Key  Private  and  Public  Cyber  Expectations 
Need  to  be  Consistently  Addressed,  United  States  Government  Accountability  Office,  2010,  7, 
http://search.proquest.com/  docview/831086945?accountid=12702. 

1^  “Critical  Infrastructure  Sectors,”  Department  of  Homeland  Security,  accessed  December,  15  2014, 
http://www.dhs.gov/critical-infrastructure-sectors. 

1^  Powner,  Critical  Infrastructure  Protection,  16. 

17  Ibid.,  22. 

18  Ibid.,  23-24. 
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sectors  could  yield  additional  answers,  produce  more  accurate  and  timely  results,  and 
utilize  fewer  resources.  Regardless  of  the  report’s  findings,  it  does  reveal  some  initial 
issues  facing  PPPs  and  establishes  the  reference  point  for  further  research  in  answering 
why  a  problem  exists  between  government  agencies  and  private  companies  in  sharing 
cyber-related  threat  information. 

Perhaps  the  most  thorough  and  recent  scholarly  work  on  the  topic  of  cybersecurity 
information  sharing  is  Forrest  Hare’s  Dissertation  on  The  Interdependent  Nature  of 
National  Cyber  Security.  He  argues  the  need  for  cyber  related  information  sharing 
between  both  government  and  private  agencies  and  analyzes  the  electric  power  sector’s 
motivations  for  information  sharing  as  the  United  States  looks  to  start  using  new 
technologies,  such  as  the  Smart  Grid.i^  Hare  also  stresses  the  importance  of  the  private 
sector’s  investment  in  cybersecurity  and  contribution  to  public-private  information 
sharing  in  order  to  strengthen  cyber  defenses  and  increase  response  time  to  threats  and 
incidents. 20  Hare’s  research  findings  identify  several  barriers  and  disincentives  of 
information  sharing  between  government  and  private  agencies  within  the  electric  power 
sector.2i  He  also  found  that  additional  government  regulation  over  cybersecurity  does  not 
pose  a  negative  impact  on  private  sector  motivations;  however,  he  discovered  that 
increased  regulation  would  result  in  a  “greater  reporting  burden  and  fewer  resources 
devoted  to  actually  improving  [cyber]  security.”22  Hare  further  adds  that  companies 
might  be  more  willing  to  invest  in  more  cybersecurity  measures  if  other  private  sector 
companies  incurred  the  same  costs. 

Hare  asks  two  questions.  First,  in  the  interest  of  national  security  and  absent 
government  regulation,  what  motivations  exist  that  encourage  private  firms  to  invest  in 
cybersecurity  procedures?23  Second,  how  can  public-private  information  sharing  offer 

Forrest  B.  Ftare,  “The  Interdependent  Nature  of  National  Cyber  Security:  Motivating  Private  Action 
for  a  Public  Good”  (PhD  diss.,  George  Mason  University,  2010),  155,  Dudley  Knox  Inter  Library  Loan: 
129484. 

20  Ibid.,  184. 

21  Ibid.,  205-6. 

22  Ibid.,  214. 

23  Ibid.,  93. 
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utility  to  both  parties  within  the  electrie  power  eritical  infrastructure  sector?24  He  also 
identifies  and  attempts  to  prove  multiple  hypotheses  centered  on  the  electric  power  Cl 
sector.  While  Hare’s  work  does  not  evaluate  the  effectiveness  of  cybersecurity 
information  sharing  between  government  and  private-sector  agencies,  it  does  identify  the 
potential  of  public-private  partnerships  to  directly  improve  trust  and  motivation  to 
cooperate  while  indirectly  increasing  interaction  between  both  sides. ^5  He  concludes  that, 
“the  private  sector  needs  to  have  a  better  understanding  of  how  their  actions  and  inactions 
are  directly  related  to  nation  security,”  further  suggesting  that  additional  research  that 
focuses  on  such  factors  could  aid  cybersecurity  experts  across  all  sectors  of  Critical 
Infrastructure. 26  Hare’s  extensive  research  establishes  a  baseline  of  knowledge  upon 
which  this  thesis  will  attempt  to  build. 

In  2011,  five  leading  cybersecurity  associations  released  a  white  paper 
highlighting  several  cybersecurity  achievements  resulting  from  public-private 
partnerships.  The  authors  base  their  research  on  President  Obama’s  2009  Cyberspace 
Policy  Review  (CSPR)  and  the  2009  National  Infrastructure  Protection  Plan  (NIPP).  The 
paper  identifies  seven  key  areas  of  cybersecurity  that  align  with  the  CSPR,  including  risk 
management;  information  sharing  and  privacy;  and  education  and  awareness.  The  paper 
also  offers  several  recommendations  to  include  calling  for  more  transparency  and  sharing 
of  secret  information  from  the  government,  and  for  Congress  to  amend  current 
surveillance  laws  tailored  for  cybersecurity.27  it  also  suggests  that  both  government  and 
private  agencies  develop  incentives  that  encourage  voluntary  adoption  and  investment  of 
best  security  practices  and  technology  within  the  guidelines  of  the  NIPP  framework.28 
Additionally,  the  paper  proposes  greater  cybersecurity  education  and  awareness  training. 


24  Hare,  “The  Interdependent  Nature,”  185. 

25  Ibid.,  222-23. 

26  Ibid.,  256. 

22  Business  Software  Alliance,  et  al.,  “Improving  our  Nation’s  Cybersecurity  Through  the  Public- 
Private  Partnership:  White  Paper,”  March  8,  201 1,  17,  https://cdt.org/fdes/pdfs/201 10308_cbyersec_ 
paper.pdf 

28  Ibid.,  12. 
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to  include  hiring  more  cyber  experts  in  both  public  and  private  agencies .29  While  these 
recommendations  are  plausible,  they  are  repetitive  of  past  researeh  findings.  Moreover, 
the  paper  lacks  any  discourse  to  answering  why  government  agencies  and  private 
companies  seem  reluetant  to  disclose  information  related  to  cyberseeurity. 

One  year  prior  to  the  release  of  EO  13636,  the  United  States  experieneed  its 
largest  increase  ever  in  eyber-attacks  against  critical  infrastructure.  Although  the  details 
behind  the  sudden  hike  in  cyber  awareness  were  unclear,  there  were  several  contributing 
factors,  such  as  an  increase  in  technology,  a  surge  in  sophisticated  hackers,  and  an 
escalation  in  probing  from  other  non- allied  countries  sueh  as  Russia  and  China.  30  James 
Lewis,  Senior  Fellow  from  the  Center  for  Strategie  and  International  Studies  (CSIS) 
noted,  “We  hit  rock  bottom  on  [cybersecurity]  in  2010.  Then  we  hit  roek  bottom  in  201 1. 
And  we  are  still  at  roek  bottom,”  indieating  that  the  United  States  is  beeoming 
inereasingly  vulnerable  to  cyber-attacks  on  critical  infrastructure. 3 1 

The  beginning  of  2012  brought  light  to  the  problem  of  government’s  (partieularly 
the  Department  of  Homeland  Security’s)  role  in  encouraging  the  private  sector  to  invest 
in  a  more  robust  network  security.  As  cyber-related  attacks  continued  to  inerease,  cyber 
experts  and  government  offieials  (including  the  president)  began  to  push  for  legislation 
that  not  only  grants  the  federal  government  the  authority  to  begin  sharing  information 
with  the  private  sector,  but  also  establishes  minimum  cybersecurity  standards  that  private 
eompanies  in  charge  of  operating  and  proteeting  eritical  infrastructure  would  be  required 
to  aohieve.32  John  Brennan,  who  was  then  President  Obama’s  senior  adviser  on 
eounterterrorism  and  homeland  seeurity,  strongly  urged  for  a  more  mandated 
eyberseeurity  poliey  versus  a  voluntary  system,  and  was  a  large  supporter  of  the  proposed 
Cybersecurity  Act  of  2012.  He  highlights  how  the  private  sector  and  government 


29  Business  Software  Alliance,  et  al.,  “Improving  our  Nation’s  Cyberseeurity,”  25. 

30  Michael  Schmidt,  “New  Interest  in  Hacking  as  Threat  to  Security,”  The  New  York  Times,  March  13, 
2012,  http://www  nytimes.eom/2012/03/14/us/new-interest-in-hacking-as-threat-to-us-security  html?_  r=0. 

31  Ibid. 

32  John  Brennan,  “Time  to  Protect  Against  Dangers  of  Cyberattack,”  The  Washington  Post,  April  15, 
2012,  http://www.washingtonpost.com/opinions/time-to-protect-against-dangers-ofcyberattack/2012/ 
04/15/gIQAdJP8JT_story  html. 


8 


agencies  in  the  past  have  teamed  up  to  protect  critical  infrastructure  from  physical  threats, 
adding  “There  is  no  reason  we  cannot  work  together  in  the  same  way  to  protect  the 
cybersystems  of  our  critical  infrastructure. ”33 

President  Obama  also  wrote  an  op-ed  identifying  the  security  gaps  that  exist  from 
companies  that  have  not  adopted  more  robust  cyber  defenses.  He  stressed  the  necessity 
for  a  set  of  cybersecurity  standards  developed  and  executed  by  both  private  and 
government  agencies  that  not  only  protects  our  national  and  economic  security,  but  also 
protects  the  privacy  and  civil  liberties  of  all  Americans. 34  Then-National  Security 
Agency  (NS  A)  and  U.S.  Cyber  Command  chief  General  Keith  Alexander  also  voiced  his 
concern  over  the  increase  of  cyber-related  attacks  on  U.S.  Critical  Infrastructure  and 
urged  for  legislation  that  enables  the  government  to  defend  private  networks  against 
cyber  threats — despite  deep  concerns  from  private  businesses  and  civil  liberty  groups 
over  rising  costs  on  network  regulation  and  privacy  issues. 35  These  views  continue  to 
highlight  that  the  drive  toward  a  more  secure  network  that  protects  critical  infrastructure 
lacks  due  regard  for  potential  public-private  information  sharing  problems. 

While  many  have  argued  that  PPP’s  are  needed  to  protect  our  Nation’s  Critical 
Infrastructure  Key  Resources  (CIKR)  against  cyber-attacks  and  threats,  there  are  those 
who  have  critiqued  the  Executive’s  approach  to  regulating  cybersecurity  of  private 
industry  networks.  The  year  2012  became  a  controversial  year  for  cybersecurity 
legislation,  with  experts  and  politicians  battling  both  sides  of  the  argument  of 
empowering  DHS  to  regulate  cybersecurity. 36  Prior  to  the  release  of  EO  13636,  three 
senators  (John  McCain  R-AZ,  Kay  Hutchison  R-TX,  and  Saxby  Chambliss  R-GA) 
expressed  their  opinion  of  how  the  Executive  Branch’s  mandate  actually  hurts  the 


33  Brennan,  “Time  to  Proteet.” 

34  Baraek  Obama,  “Taking  the  Cyberattaek  Threat  Seriously,”  The  Wall  Street  Journal,  July  19,  2012, 
http://onhne.wsj.eom/news/artieles/SB10000872396390444330904577535492693  044650. 

35  David  E.  Sanger  and  Erie  Sehmitt,  “Rise  is  Seen  in  Cyberattaeks  Targeting  U.S.  Infrastmeture,”  The 
New  York  Times,  July  26,  2012,  http://www.nytimes.eom/2012/07/27/us/  eyberattaeks-are-up-national- 
seeurity-ehief-says  html. 

36  Ellen  Nakashima,  “On  Cybersecurity  Bill,  Battle  Lines  Forming,”  The  Washington  Post,  February 
17,  2012,  http://www.washingtonpost.com/blogs/checkpoint-washington/post/  divisions-erupt-over- 
cybersecurity-bilF20 12/02/1 7/gIQ  AG348IR_blog.html. 
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potential  for  public-private  partnerships.  They  cited  antitrust  laws  and  statutory 
limitations  as  the  legal  hurdles  discouraging  private  companies  from  collaborating  in 
cyber-threat  sharing  activities  with  government  agencies,  stressing  that  “companies  must 
first  check  with  their  lawyers  before  sharing  information  for  fear  of  litigation,  not  just 
from  customers  or  shareholders  but  from  federal  and  state  governments  as  well.”^^  In 
rebuttal,  they  urged  the  president  to  release  a  bipartisan  information-sharing  bill  that 
grants  clear  authority  to  share  cyber-threat  information  between  government  entities  and 
private  companies  that  includes  liability  protections  in  lieu  of  EO  13636.38  The  three 
senators,  who  were  ranking  Republicans  on  the  Armed  Services  Committee,  also  stated 
that  “new  statutory  protections  would  drive  information  sharing  and  significantly 
improve  our  nation’s  cybersecurity,”  and  strongly  felt  that  such  protections  would 
unnecessarily  amend  existing  law.  At  the  time,  they  believed  that  the  executive  order  by 
itself  would  not  be  enough  to  foster  a  government-private  cybersecurity  alliance. 

While  policymakers,  cyber  experts,  and  the  media  debated  over  cybersecurity 
legislation  and  privacy  concerns,  the  impact  of  PPPs  on  homeland  security  issues 
received  little  attention.  Recognizing  the  lack  of  scholarly  literature  on  PPPs  and 
protecting  Cl  from  all  hazards,  including  cyber-related  threats,  Nathan  Busch  and  Austen 
Givens  attempted  to  fill  this  gap  by  presenting  their  research  in  an  October  2012  edition 
of  Homeland  Security  Affairs.  Their  work  focuses  on  examining  the  evolving  role  of 
PPPs  and  discusses  the  benefits,  limitations,  challenges,  and  incentives  that  PPPs  face  in 
protecting  the  nation  from  all  threats.  Because  85%  of  our  nation’s  Cl  is  under  private 
sector  control,  the  authors  stress  the  need  for  an  alliance  between  DHS  and  private  sector 
companies. 39  While  only  a  limited  section  is  dedicated  to  cybersecurity,  the  research 
overall  is  applicable  to  all  sectors  of  critical  infrastructure. 


3^  John  McCain,  Kay  Hutchison,  and  Saxby  Chambliss,  “No  Cybersecurity  Executive  Order,  Please,” 
The  Wall  Street  Journal,  Sept  4,  2012,  http://www  mccain.senate.gov/public/  index. cfm/opinion- 
editorials?ID=c5083e3  7-06 1  e-ac3  f-8e9b-2594e43  f9d2c. 

38  Ibid. 

39  Nathan  E.  Busch  and  Austen  D.  Givens,  "Public-Private  Partnerships  in  Homeland  Security: 
Opportunities  and  Challenges,"  Homeland  Security  Affairs  8,  no.  1  (2012)  3,  http://search.proquest.com/ 
docview/1266365905?accountid=12702. 
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Although  the  authors  highlight  the  many  benefits  to  PPPs,  ineluding  building  trust 
and  teehnologieal  innovation,  they  also  address  what  the  previous  literature  on  PPPs 
seems  to  laek:  potential  limitations  and  challenges.  For  example,  one  limitation  the 
authors  discuss  is  how  poor  management  within  PPPs  can  lead  to  rising  costs  and  failed 
expectations,  such  as  the  Virtual  Fence  project  that  DHS  ultimately  cancelled.^o  Another 
limitation  that  previous  literature  misses  is  the  appearance  versus  reality  problem  of 
PPPs.  While  businesses  may  publicly  appear  to  place  security  as  a  top  priority,  secretly, 
they  are  more  concerned  about  their  bottom  line.  Private  organizations  may  also  appear  to 
share  mutual  security  standards  set  by  the  government;  however,  in  reality  corporations 
are  more  likely  to  avoid  complying  with  costly  security  recommendations.  Thus,  the 
appearance  of  public-private  cooperation  concerning  cybersecurity  is  often  less  of  a 
reality. 41  The  authors  also  identify  another  pitfall  to  government-private  sector 
collaboration  in  their  critique  of  the  Critical  Infrastructure  Partnership  Advisory  Council 
(CIPAC) — an  organization  within  DHS  comprised  of  both  government  and  private 
businesses  that  share  information  to  protect  Cl  at  the  federal  level.  Despite  the  council’s 
many  contributions  to  PPPs,  some  view  CIPACs  position  as  “overly  government-centric” 
by  siding  with  the  government  over  private  industry  concerns. 42  As  a  result,  some  private 
firms  may  become  discouraged  if  they  share  information  with  government  agencies  but 
those  agencies  do  not  reciprocate  in  a  timely  fashion.  Busch  and  Givens  conclude  that 
although  PPPs  within  homeland  security  endure  significant  challenges  and  limitations, 
“future  studies  will  need  to  examine  other  critical  issues  that  become  relevant  as  [PPPs] 
continue. ”43  The  authors’  findings  helps  establish  a  baseline  of  knowledge  in 
government-private  sector  information  sharing  issues  in  which  this  thesis  will  attempt  to 
expand  upon  by  exploring  current  barriers  to  collaboration  within  a  single  Cl  sector. 

The  most  recent  work  to  date  that  attempts  to  assess  the  status  quo  of  public- 
private  partnerships  in  securing  cyberspace  is  a  comparative  analysis  conducted  by 

40Busch  and  Givens,  "Public-Private  Partnerships,”  9. 

41  Ibid. 

42  Ibid.,  4. 

43  Ibid.,  15. 
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Rachel  Nyswander  Thomas,  Vice  President  of  Government  Affairs  for  the  Direct 
Marketing  Association, ^4  and  published  by  CSIS.  She  examined  the  current  (2012)  status 
of  cybersecurity  PPPs  by  analyzing  several  partnership  models  and  offered  a  few 
alternatives  for  policymakers  to  consider  in  meeting  the  nation’s  cybersecurity 
expectations  Her  research  sought  to  determine  the  PPP  model  most  suitable  in  helping 
secure  cyberspace.  By  analyzing  preceding  cybersecurity  PPPs,  Thomas  discovered  that 
pressure,  coupled  with  a  sense  of  urgency,  is  what  forced  many  government  and  private 
sector  agencies  to  collaborate  rather  than  using  a  more  systematic  approach;  based  on  this 
finding,  she  concluded  that  the  field  of  cybersecurity  was  mature  enough  to  begin 
comparing  different  cybersecurity  PPP  models.^®  Out  of  four  alternate  models,  only  one 
met  the  set  criteria  determined  to  provide  a  more  secure  cyberspace:  a  civic  switchboard 
that  coordinates  public-private  cyber  information  sharing  under  the  direct  authority  of  the 
Executive  Office. 47  Thomas  also  found  that  despite  the  requirement  of  an  ISAC  for  every 
Cl  sector  under  Presidential  Decision  Directive  (PDD)  63,  several  Cl  sectors  lack  an 
Information  Sharing  Analysis  Center  (ISAC)  counterpart — partly  due  to  disagreements 
between  industry  leaders  as  to  the  necessity  of  an  ISAC  investment.48  One  could  argue 
that  sectors  lacking  an  ISAC  hinder  information  sharing  between  government  agencies 
and  industry;  yet,  her  research  does  not  fully  investigate  this  issue.  While  Thomas’ 
contribution  helps  reinforce  the  status  quo  reiterated  in  previous  literature  that  PPPs 
remain  an  integral  piece  of  the  cybersecurity  puzzle,  her  research  contains  one  particular 
weakness — source  attribution. 

Although  her  report  was  initially  published  in  May  2012,  Thomas  updated  it  in 
August  2013.  However,  the  updated  report  lacks  an  explanation  of  the  content  added  or 
changed — including  the  extent  of  change — leaving  it  up  to  the  reader  to  hunt  for  the 

44“Rachel  Nyswander  Thomas,”  bio,  Direct  Marketing  Association  website,  http://thedma.org/ 
dma/rachel-nyswander-thomas/. 

45  Rachel  Nyswander  Thomas,  “Securing  Cyberspace  Through  Public-Private  Partnership:  A 
Comparative  Analysis  of  Partnership  Models,”  May  2012,  8,  Last  updated  August  2013  http://csis.org/ 
files/publication/l  3081 9_  tech_summary.pdf 

46  Ibid.,  31. 

47  Ibid.,  53. 

48  Ibid.,  9,  28. 
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changes  using  footnotes.  More  importantly,  the  faets  derived  from  the  personal 
interviews  Thomas  conducted  over  the  course  of  her  research  might  be  the  most 
important  contribution  to  the  existing  literature  on  PPPs  in  seeuring  cyberspace;  yet, 
those  sourees  remain  anonymous  in  the  report,  whieh  makes  assessing  the  credibility  of 
these  sources  difficult — if  not  impossible.  For  example,  Thomas  states,  “only  200  people 
in  the  entire  financial  services  seetor  have  a  clearanee  level  that  would  enable  them  to 
reeeive  classified  information  directly  from  ISAC  partners. ”^9  While  this  information 
helps  address  the  issue  of  the  government  providing  timely  security  clearances  to  private- 
sector  owners  of  Cl,  the  source  remains  nameless.  Similar  research  that  acknowledges 
reputable  sources  eould  yield  a  more  practical  and  plausible  eontribution  to  the  existing 
body  of  knowledge  on  eyberseeurity  PPPs. 

Despite  an  enormous  hike  in  cyber-related  attacks,  literature  coneeming 
eyberseeurity  and  PPPs  began  to  decline  in  2013.  While  journalists,  cybersecurity 
experts,  and  policymakers  stressed  the  importance  of  government-private  seetor 
collaboration  on  eyberseeurity  efforts,  scholarly  research  on  the  effectiveness  of  PPPs 
took  a  back  seat.  Days  after  the  release  of  the  EO  13636,  FBI  Direetor  Robert  Mueller 
stressed  the  importance  of  information  sharing  between  the  Bureau  and  other  government 
ageneies — to  include  the  private  sector.  He  believed  the  problem  was  the  lack  of  urgency 
in  private  companies  to  recognize  the  seriousness  of  cyber-related  threats.  Mueller  cited 
several  suceessful  examples  of  PPP  models,  including  the  National  Cyber  Forensics  and 
Training  Alliance  (collaboration  of  law  enforcement  and  private  industry);  Enduring 
Seeurity  Framework  (group  of  private  and  government  leaders  that  analyze  cyber-related 
threats);  and  the  FBI’s  own  Domestie  Security  Alliance  Couneil  (eonsisting  of  security 
representatives  from  all  Cl  and  business  seetors).^^  These  models  eould  serve  as  potential 
ease  studies  in  helping  solve  the  eyberseeurity  information-sharing  problem.  Both  the 
NCFTA  and  ESF  are  discussed  in  Chapter  III,  Section  D:  Cybersecurity  PPPs  in  Action. 


49  Thomas,  “Securing  Cyberspace  12. 

“The  Cyber  Threat-Planning  for  the  Way  Ahead,”  Federal  Bureau  of  Investigation,  February  19, 
2013,  http  ://www  fbi.gov/news/ stories/20 1 3/february/the-cyber-threat-planning-for-the-way-ahead/the- 
cyber-threat-planning-for-the -way-ahead. 
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Within  a  month  of  the  president’s  Executive  Order,  media  outlets  began  reporting 
that  security  companies,  such  as  Raytheon  and  Lockheed  Martin,  were  lobbying  for 
stronger  cyber  laws  that  mandated  more  stringent  cybersecurity  requirements,  in  order  to 
boost  sales  in  security  products.  Meanwhile,  the  victims  of  cyber-attacks — banking, 
communication,  and  energy  sectors — pushed  for  better  liability  protection  and  threat 
assessments  from  government  agencies. The  majority  of  cybersecurity  publicity  during 
2013  consisted  of  continual  recommendations  on  policy  and  ways  to  increase  cyber 
defenses  with  very  little  research  into  the  effectiveness  of  PPPs.  However,  retired  Rear 
Admiral  and  current  Cybersecurity  Solutions  Group  Vice  President  Elizabeth  A.  Might 
cited  one  particular  case  where  the  Department  of  Energy  (DOE)  and  DHS  formed  an 
information-sharing  alliance  with  several  different  energy  companies — highlighting  the 
potential  value  in  using  mature  partnership  models  as  benchmarks  that  can  measure 
forward  progress  in  cybersecurity.  Might  noted,  “[w]hen  industry  and  the  public  sector 
are  able  to  access  and  receive  timely,  actionable  information,  better  solutions  emerge,” 
further  arguing  that  such  models  establish  a  standard  for  other  Cl  sectors  to  follow. ^2 

By  now,  it  should  be  evident  that,  despite  an  obvious  increase  in  cyber-related 
threats  to  our  nation’s  Cl,  government  and  private  entities  have  been  at  times  both  willing 
and  reluctant  to  forge  PPPs  that  encourage  information  sharing  to  enhance  cybersecurity. 
Absent  from  the  current  literature  is  a  more  focused  analysis  that  examines  whether  or 
not  similar  Cl  specific  agencies  enjoy  more  or  less  cooperation  on  cybersecurity  matters 
within  their  respective  private  industries.  This  research  adds  to  the  existing  body  of 
knowledge  by  exploring  the  current  barriers  to  PPPs  within  the  finance  sector^s  to  help 
fill  the  gap  between  the  government’s  push  to  increase  cyber  resiliency  and  the  seemingly 


Eric  Engleman  and  Jonathan  D.  Salant,  “U.S.  Cybersecurity  Policy  Draws  Interest  From 
Companies,  Lobbyists,”  The  Washington  Post,  March  24,  2013,  http://www.washingtonpost.com/business/ 
economy/us-cybersecurity-policy-draws-interest-from-companies-lobbyists/201 3/03/24/9 1 6a79f2-927 1- 
1  Ie2-bdea-e32ad90da239_story.html. 

Elizabeth  A.  Flight,  “Forging  A  Public -private  Partnership  for  Cybersecurity:  Government,  Private 
Sector  Collaboration  Key  to  Forward-looking  Security,”  Washington  Technology,  April  30,  2013, 
http://washingtontechnology.eom/articles/2013/04/30/insights-hight-cyber-collaboration.aspx. 

53  The  financial  sector  was  chosen  due  to  the  more  recent  surge  in  cyber-attacks  on  U.S.  banks  and 
citizens;  the  banking  and  finance  sector  also  has  the  potential  to  suffer  the  most  catastrophic  damage  to 
national  security,  U.S.  economy,  and  lifestyle. 
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non-cooperation,  perhaps  even  reluetanee  to  cooperate,  of  both  government  ageneies  and 
privately  owned  businesses  in  eharge  of  proteeting  our  nation’s  CL 

D.  POTENTIAL  EXPLANATIONS  AND  HYPOTHESES 

Based  on  seholarly  evidenee  presented  in  the  literature  review,  there  are  three 
potential  explanations  for  the  failure  of  government  and  private  seetor  eooperation  in 
eyberseeurity  information-sharing.  The  author  reeognizes  that,  while  the  potential  for 
other  easual  explanations  or  theories  may  exist,  the  three  presented  here  are  the  most 
promising  explanations  to  the  eomplex  question  this  thesis  attempts  to  answer. 

Hypothesis  One:  Partieipation  in  PPPs  is  less  likely  to  oeeur  when  either  side  fails 
to  share  eyber-related  information  in  a  timely  and  aeeurate 
manner. 

Hypothesis  Two:  Private  eompanies  feel  threatened  by  eyberseeurity  regulations 
and  standards  that  inerease  seeurity  eosts,  risk  the  loss  of 
market  share,  and  laek  ineentives,  thus  deereasing  the 
likelihood  of  PPP  partieipation. 

Hypothesis  Three:  Small-to-medium  sized  private  seetor  eompanies  laek  the 
neeessary  resourees  to  partieipate  in  information-sharing 
eyberseeurity  PPPs. 

E.  METHODOLOGY 

For  the  purpose  of  this  researeh,  Publie-Private  Partnerships  (by  definition 
provided  earlier  in  the  literature  review)  refers  to  both  government  and  private  seetor 
entities  that  share  in  the  resourees,  risks,  and  eosts  of  delivering  a  serviee  to  the  publie.^^ 
Thus,  the  government-private  assoeiations  explored  in  this  researeh  are  synonymous  with 
PPPs.  Further  diseussion  of  PPPs  is  also  provided  in  Chapter  III.  To  help  identify  the 
barriers  to  establishing  PPPs,  this  thesis  examines  eyberseeurity  information-sharing 
within  the  banking  and  finanee  Cl  seetor.  The  three  proposed  hypotheses  deseribed  above 


Cellucci,  “Innovative  Public-Private  Partnerships,”  4. 
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will  be  tested  based  on  the  evidenee  provided  in  Chapters  III  and  IV  in  an  attempt  to 
answer  the  major  researeh  question  of  why  information-sharing  problems  exist  between 
government  agencies  and  private  companies. 

For  the  purpose  of  this  research,  cyber-attacks  involving  major  banks  and 
corporations  that  affect  the  U.S.  and  world  economy;  personal  identity  theft  that  result  in 
either  potential  or  actual  financial  loss;  and  network  breaches  of  major  retail  companies 
apply  to  the  financial  Cl  sector.  While  this  thesis  recognizes  that  other  Cl  sectors  share 
the  same,  if  not  more,  dependency  on  cybersecurity  alliances  between  government 
agencies  and  private  sector  companies,  the  finance  sector  has  not  only  experienced  a 
recent  surge  in  cyber-attacks,  but  also  have  the  potential  to  suffer  the  most  catastrophic 
damage  to  our  nation’s  security,  economy,  and  way  of  life.  Additionally,  private-sector 
owners  control  the  majority  of  Cl  systems  within  these  sectors — further  stressing  the 
importance  of  evaluating  the  factors  that  both  promote  and  challenge  cybersecurity  PPPs. 

It  is  also  important  to  note  that  while  cyber-related  incidents  involving  identity 
theft  and  breaches  of  major  retail  companies  also  fall  under  the  IT  sector,  the  majority  of 
literature  and  evidence  identifying  the  barriers  to  information-sharing  between  public  and 
private  entities  is  found  within  the  banking  and  financial  sector.  However,  in  some 
instances,  the  lines  between  cybersecurity  information  sharing  within  some  sectors  can 
become  blurred.  For  example,  the  FS  and  IT  sectors;  discussed  in  further  detail  in 
Chapter  IV. 

F.  OVERVIEW 

Chapter  II  provides  a  background  of  recent  cyber-attacks  across  the  various 
sectors  of  Cl  to  establish  the  importance  and  urgency  of  the  topic.  This  chapter  also 
provides  a  brief  description  of  the  most  recent  controversial  cybersecurity  policies  and 
legislation  applicable  to  this  research.  Chapter  III  identifies  several  factors  that  both 
promote  and  challenge  the  establishment  of,  and  agency  participation  in,  cybersecurity 
PPPs.  Chapter  IV  assesses  the  current  challenges  facing  the  establishment  of  PPPs  to 
advance  cyber  information  sharing  within  the  banking  and  finance  Cl  sector.  Chapter  V 
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provides  a  synopsis  of  the  previous  chapters,  utilizes  the  case  study  findings  to  validate 
the  three  hypotheses,  and  offers  recommendations  for  further  research. 
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II.  BACKGROUND 


A,  RISE  OF  CYBER-RELATED  THREATS 

In  a  speech  given  at  a  cybersecurity  conference  in  San  Francisco,  former  FBI 
Director  Robert  Mueller  said,  “I  am  convinced  that  there  are  only  two  types  of 
companies:  those  that  have  been  hacked  and  those  that  will  be,”  further  adding,  “they  are 
even  converging  into  one  category:  companies  that  have  been  hacked  and  will  be  hacked 
again.”55  Government  agencies,  businesses,  and  individuals  alike  have  become  more 
dependent  on  technology,  and  the  desire  and  need  for  interconnectedness  has  led  to 
increasing  network  vulnerability  in  both  government  and  private  sectors — including  our 
nation’s  critical  infrastructure. 

Despite  tireless  efforts  to  secure  government  and  commercial  networks;  increase 
critical  infrastructure  resiliency;  and  protect  intellectual  property,  cyber-related  attacks 
continue  to  increase  across  the  globe.  Today,  no  state  can  claim  to  be  impermeable  to 
cyber-related  threats.  The  Center  for  Strategic  and  International  Studies  (CSIS)  maintains 
an  updated  list  of  significant  and  successful  cyber-attacks  worldwide  involving 
government  agencies,  the  military,  and  the  economy  (where  monetary  loss  exceeds  one 
million  dollars). It  is  important  to  note  that  this  list  only  contains  what  CSIS  considers 
to  be  substantial  and  does  not  account  for  all  cyber- attacks  or  attempts. 

In  the  past  decade,  we  have  seen  an  increase  of  cyber-related  attacks  against  U.S. 
networks  and  infrastructure.  According  to  DHS,  there  were  50,000  cyber  incidences 
reported  between  October  2011  and  March  2012,  which  marked  a  historical  increase  in 
cyber-related  attacks  on  multiple  networks. ^7  In  fact,  in  2012  alone,  DHS  recorded  over 


Robert  S.  Mueller,  “Remarks  prepared  for  delivery,”  RSA  Cyber  Security  Conference,  Federal 
Bureau  of  Investigation,  March  1,  2012,  http://www  fbi.gov/news/speeches/combating-threats-in-the-cyber- 
world-outsmarting-terrorists-hackers-and-spies. 

CSIS,  “Significant  Cyber  Events.” 

Schmidt,  “New  Interest  in  Flacking.” 


19 


198  attacks  against  the  United  States. This  sudden  surge,  eoupled  with  a  steady  pattern 
of  inereasing  vulnerability  sinee  2010,  ereated  an  overwhelming  pressure  on 
polieymakers  to  pass  legislation — granting  the  Department  of  Homeland  Seeurity  (DHS) 
more  oversight  and  regulation  over  the  owners  and  operators  of  our  Nation’s  Critieal 
Infrastrueture.  The  inereasing  trend  of  signifieant  global  eyber  ineidents  over  a  7-year 
span  (2006-  2013)  is  illustrated  in  Figure  1. 


Significant  Cyber  Incidents  (2006-2013)  Total:  153 


Figure  1 .  Signifieant  Cyber  Ineidents  from  2006-2013^9 


From  May  2006  to  Deeember  2013,  aeeording  to  CSIS,  out  of  the  153  signifieant 
global  eyber  ineidents  (losses  exeeeding  one  million  dollars),  the  United  States  alone 
experieneed  fifty-three — ranging  from  personal  identity  theft  and  eyber  espionage,  to  the 
more  reeent  Snowden  leaks. While  some  attaeks  have  left  behind  minimal  damage, 
other  more  sophistieated  attaeks  have  resulted  in  major  seeurity  breaehes — resulting  in 
the  loss  of  hundreds  of  millions  of  dollars. The  extent  of  damage  eaused  by  the 
Snowden  leaks  is  still  unknown. 


Tiffany  Kaiser,  “DHS:  Cyber  Attacks  Against  US  Infrastructure  Increased  by  52  Percent  in  2012,” 
Daily  Tech,  January  10,  2013,  http://www.dailytech.com/DHS+Cyber+Attacks+Against+US+ 
Infrastructure+Increased+  by+52+Percent+in+2012/article29632  htm. 

59  Data  retrieved  from  CSIS,  “Significant  Cyber  Events.” 

CSIS,  “Significant  Cyber  Events.” 

61  Ibid. 


20 


B,  POLICY  AND  LEGISLATION 

Creating  a  policy  on  which  everyone  can  agree  is  virtually  impossible.  In  fact,  in 
1977,  Congress  introduced  the  Federal  Computer  Systems  Protection  Act,  which 
attempted  to  establish  penalties  for  computer  crimes;  unfortunately,  the  bill  never  passed. 
Throughout  the  next  several  years,  federal  agencies  pressed  policymakers  to  create  laws 
against  database  breaches  and  a  decade  later.  President  Ronald  Reagan  signed  the 
Computer  Security  Act  of  1987,  which  intended  to  protect  the  databases  of  federal 
agencies  against  hacking.  After  the  Morris  worm  attack  of  1989  and  continuous  data  theft 
in  the  early  1990s,  it  became  obvious  to  policymakers  that  the  Security  Act  of  1987  was 
failing.® 

Throughout  the  1990s,  fears  of  the  Y2K  bug  began  to  spread.  As  a  result,  the 
Clinton  administration  established  a  Presidential  Commission  of  Critical  Infrastructure 
Protection  (PCCIP)  in  the  summer  of  1996  that  aimed  to  protect  vital  systems  against 
potential  cyber  disruptions,  be  they  terrorism,  espionage,  or  network  hacking.  As  Y2K 
approached,  policymakers  spent  tens  of  billions  on  protecting  against  the  anticipated 
global  cyber  crash.  When  the  arrival  of  Y2K  passed  uneventfully,  critics  began  to 
question  why  the  U.S.  had  bought  into  the  Y2K  hype  while  other  countries  had  not.63 
Since  2000,  the  amount  of  cyber  incidents  and  policy  initiatives  has  increased 
substantially — gaining  massive  attention  from  both  public  and  private  sector 
stakeholders.  This  accumulation  of  cyber-attacks  not  only  reinforced  the  necessity  for 
increased  government  oversight  and  tougher  policies  aimed  to  harden  cyber  structures,  it 
also  signaled  a  worldwide  caution  to  all  nations  to  take  a  hard  look  at  reforming 
cybersecurity  policy.® 

The  United  States  has  repeatedly  struggled  over  the  past  several  years  to  stay 
ahead  of  the  opposition.  In  lieu  of  this  battle.  Congress  and  the  president  have  passed. 


®  “Government  and  Cybersecurity,”  1-2. 

®  Ibid. 

®  Andrea  Peterson  and  Sean  Pool,  “Timeline:  U.S.  Security  Policy  in  Context:  A  Look  at  President 
Obama’s  Latest  Executive  Order  and  the  Policies  that  Preceded  It,”  Science  Progress,  February  13,  2013, 
http://scienceprogress.org/2013/02/u-s-cybersecurity-policy-in-context/. 
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superseded,  and  abolished  numerous  eyberseeurity  polieies;  established  U.S.  Cyber 
Command  (USCYBERCOM);  formed  the  House  Republiean  Cyberseeurity  Task  Foree; 
seeretly  released  Presidential  Poliey  Direetive  20  (direetive  on  cyber-attaek  defense);  and 
released  EO  13636  tasking  NIST  to  develop  a  eyberseeurity  framework  to  assist  owners 
and  operators  of  Cl  to  reduee  eyber  risks. Today,  eyberseeurity  policies  and  programs 
designed  to  protect  our  networks,  databases,  and  critical  infrastructure  are  numerous;  and 
the  road  to  get  here  has  not  been  easy.  Protecting  our  national  security  against  evolving 
cyber-threats  has  been  an  overwhelming  task  requiring  countless  changes  and  updates  to 
eyberseeurity  policy. 

1.  CISPA  and  CISA 

The  most  controversial  bill  on  eyberseeurity  to  date  is  the  Cyber  Intelligence 
Sharing  and  Protection  Act  (CISPA).  In  2012,  the  House  passed  the  bill  despite  heavy 
reproach  from  civil  liberty  organizations  and  critics  who  feared  the  bill  would  grant 
government  and  private  agencies  access  to  monitor  individual  online  activity  without 
oversight — so  long  as  it  was  for  eyberseeurity  purposes.  CISPA  came  at  a  time  when 
cyber-threats  were  on  the  rise  and  congress  was  receiving  pressure  from  the  hnancial 
sector  and  the  White  House  to  create  legislation  that  encourages  information  sharing 
between  government  agencies  and  the  private  sector  to  prevent,  mitigate,  and  respond  to 
cyber- attacks.  Supporters  of  the  bill  included  tech  companies  IBM  and  Verizon;  the 
hnancial  institutions  of  Citibank  and  JPMorgan  Chase;  and  the  majority  of  House 
Republicans.  Those  opposed  included  the  American  Civil  Eiberties  Union  (ACEU);  the 
Congressional  Privacy  Caucus;  and  President  Barack  Obama  who  felt  the  bill  lacked 
conhdentiality  and  regulation.  Not  surprisingly,  the  bill  never  made  it  past  the  Senate. 
One  year  later,  the  bill  resurfaced  for  a  second  round  in  Congress  with  the  same  results; 
however,  this  time  the  Senate  refused  to  even  vote,  stating  that  the  Senate  Intelligence 


Peterson  and  Pool,  “Timeline.” 
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Committee  was  currently  working  on  a  similar  bill.^^  It  was  assumed  that  the  next  bill  to 
replace  the  CISPA  would  be  the  NCCIP,  until  recently  when  Senators  Dianne  Feinstein 
(D-CA)  and  Saxby  Chambliss  (R-GA)  revived  a  revised  version  of  the  CISPA  bill  for  a 
third  go-around.  The  new  bill,  the  Cybersecurity  Information  Sharing  Act  of  2014 
(CISA),  calls  upon  NIST  to  establish  the  same  standards  and  practices  they  have  already 
done  in  Framework  1.0.  To  better  distinguish  CISA  between  the  two  previous  bills  that 
created  much  controversy  over  privacy  and  civil  rights  violations,  drops  the  “P”  (for 
Protection). On  April  18,  2014,  CISA  passed  the  House  and,  as  the  time  of  this 
research,  was  awaiting  Senate  approval. 

2.  NCCIP 

With  the  recurring  disappointment  of  CISPA  over  the  past  several  years  in 
Congress,  Homeland  Security  Chair  Michael  McCaul  (R-TX)  and  Bennie  Thompson  (D- 
MS)  vowed  to  develop  an  information-sharing  bill  that  allows  DHS  to  assist  the  private 
sector,  charged  with  protecting  Critical  Infrastructure,  in  combating  cyber-threats.  The 
National  Cybersecurity  and  Critical  Infrastructure  Protection  Act  (NCCIP)  of  2013,  is  not 
so  much  a  Senate  spinoff  of  CISPA  as  the  current  CISA  bill,  but  rather  the  latest 
installment  of  information  sharing  legislation  that  amends  the  Homeland  Security  Act  of 
2002.  Cybersecurity  expert  Tom  Kellermann  strongly  supports  the  bill  and  is  very 
optimistic  that  it  will  pass  later  this  year.  He  has  over  17  years  of  experience  in 
cybersecurity  risk  response,  and  recently  served  on  the  Cybersecurity  Mission  for  the 
44th  president. 69  In  a  recent  interview,  Kellermann  stressed  the  bill’s  importance  to  the 
private  sector  and  believed  “it  will  act  as  a  clearinghouse  for  cyber  attacks  and 
assistance,”  further  adding,  “Other  countries  have  been  providing  this  type  of  support,  but 


6^  Gerry  Smith,  “Senate  Won’t  Vote  on  CISPA,  Deals  Blow  Controversial  Cyber  Bill,”  Huffington 
Post,  April  25,  2013,  http://wwwhuffingtonpost.eom/2013/04/25/cispa-cyber-bill_n_3158221.  html. 

68  Zach  Whittaker,  “Failed  Twice,  Revived  Again:  CISPA  Returns  Despite  Concerns  Over  Privacy, 
Data  Sharing,”  ZDNet,  April  30,  2014,  http://www.zdnet.com/failed-twice-revived-again-cispa-retums- 
despite-concems-over-privacy-data-sharing-7000028943/. 

69  Ashley  Bennett,  “Cybersecurity  Expert  Explains  Importance  of  NCCIP  Act,”  Government  Security 
News,  Febraary  1 1,  2014,  assessed  on  May  30,  2014,  http://www.gsnmagazine.com/article/40197/ 
cybersecurityexpertexplainsimportancenccipact. 
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this  would  be  a  first  in  the  Working  elosely  with  DHS,  representatives  from  the 

House  Homeland  Seeurity  Committee  have  been  hard  at  work  to  finalize  the  bipartisan 
supported  bill  that  eould  not  eome  at  a  more  erueial  time  when  frequent  and  almost  daily 
reported  eyber-attaeks  oeeur  aeross  all  seetors  of  eritieal  infrastrueture.^i 

3.  EO  13636 

In  February  2013,  the  White  House  released  Exeeutive  Order  13636:  Improving 
Critieal  Infrastrueture  Cyberseeurity,  due  to  the  inereasing  potential  of  eyber-attaeks  that 
threaten  our  national  seeurity.  The  order  establishes  a  standard  for  an  information 
partnership  between  the  private  seetor  and  government  ageneies  on  a  voluntary  basis.  It 
ealls  on  the  Seeretary  of  DHS,  the  direetor  of  DNI,  the  National  Institute  of  Standards 
and  Teehnology  (NIST),  and  the  Seetor  Speeifie  Ageneies  (SSA),  to  establish  a 
framework  that  improves  resilieney  and  inereases  eomputer  network  seeurity.^^  main 
issue  with  this  order  was  that  partieipation  in  an  information-sharing  eoalition  by  private 
eompanies  was  voluntary.  Beeause  of  this,  the  debate  between  privaey  and  proteetion 
emerged,  and  many  private  firms  seemed  reluetant  to  share  sueh  information  with 
government  ageneies.  In  hopes  of  eneouraging  private  seetor  partieipation,  the  Seeretary 
of  DHS  was  ordered  to  establish  an  ineentive  program.^^ 

4.  PPD-21 

Released  on  the  same  day  as  EO  13636,  the  Presidential  Poliey  Direetive-21  was 
an  overarehing  doeument  addressing  both  physieal  and  eyber  threats  against  eritieal 
infrastrueture;  it  replaeed  and  updated  the  previous  Homeland  Seeurity  Presidential 
Direetive-7  (HSPD-7).  Similar  to  the  requirements  of  EO  13636,  the  direetive  required 
the  federal  government  to  eollaborate  with  state,  loeal,  tribal,  and  territorial  ageneies 

Bennett,  “Cyberseeurity  Expert  Explains.” 

Nelson  Peacock,  “Cyberseeurity  Could  be  the  Next  Bipartisan  Breakthrough,”  The  Hill,  January  22, 
2014,  assessed  on  May  30,  2014,  http://thehill.comA logs/congress-blog/technology/1 96026-cybersecurity- 
could-be-the-next-bipartisan-breakthrough. 

^2  Executive  Order  no.  13636. 

^3  Eric  A.  Fisher,  et  al.,  “The  2013  Cyberseeurity  Executive  Order:  Overview  and  Considerations  for 
Congress,”  Congressional  Research  Service,  March  1,  2013,  5-6,  9,  http://www2.gwu.edu/~nsarchiv/ 
NSAEBB/NSAEB  B424/docs/Cyber-089.pdf 
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(commonly  referred  to  as  SLTT),  and  the  owners  and  operators  in  eharge  of  eritieal 
infrastrueture,  to  manage  risks  and  inerease  resiliency  against  all  hazards.^^  PPD-21  also 
established  and  identified  16  separate  eritieal  infrastrueture  seetors,  including  the 
finaneial  services  seetor.^^  While  EO  13636  focused  exclusively  on  eyber-related  threats 
by  direeting  the  Executive  Braneh  to  improve  eritieal  infrastructure  eybersecurity,  PPD- 
21  addressed  all  threats  and  hazards  to  eritieal  infrastructure  security  and  resilience,  and 
ealled  for  an  updated  National  Infrastrueture  Proteetion  Plan  (NIPP)7^  Despite  its 
positive  eontributions  in  proteeting  national  security,  some  have  eriticized  PPD-21  for 
being  too  broad.  Eorbes  eontributor  and  author  of  Surviving  cyberwar,  Riehard  Stiennon, 
believed  PPD-21  expects  too  much  and  sets  unrealistic  deadlines  of  government  ageneies 
and  SSAs.  He  ealled  PPD-21  his  “worst  nightmare,”  and  a  “top  down  solution  that 
expresses  the  frustration  of  good  intentions  to  ‘do  something. 

5.  NIPP 

The  National  Infrastrueture  Proteetion  Plan  (NIPP)  was  an  update  to  the  previous 
NIPP  as  mandated  by  PPD-21.  Drawing  on  lessons  learned  and  experienee  gained  sinee 
the  previous  NIPP,  the  new  plan  provided  the  framework  for  eolleetive  action  across  all 
Cl  sectors  and  all  levels  of  government;  incorporating  both  physical  and  cyber  security 
elements,  including  the  resilience  of  Cl  networks  and  assets,  into  one  unity  of  effort 
aimed  at  inereasing  readiness  and  mitigating  risk.  The  plan  also  established  seven  eore 
tenants  aimed  to  guide  the  entire  Cl  eommunity  (national  level  down  to  the  owner  and 
operators)  in  the  seeurity  planning  proeess.  Additionally,  the  NIPP  introdueed  twelve 
Calls  to  Action  intended  to  not  only  satisfy  the  goals  of  the  plan,  but  to  also  guide  all 


The  White  House,  “Presidential  Policy  Directive/PPD-21:  Critical  Infrastructure  Security  and 
Resilience,”  U.S.  General  Services  Administration,  Febraary  12,  2013,  http://www.gsa.gov/portal/ 
mediaId/1 7657  l/fdeName/ATTCH_2_-_PPD-2 1  .action. 

“Critical  Infrastructure  Sectors,”  Department  of  Homeland  Security,  accessed  December,  15  2014, 
http://www.dhs.gov/critical-infrastructure-sectors. 

“Fact  Sheet:  Executive  Order  13636  and  Presidential  Policy  Directive  (PPD)-21. 

Richard  Stiennon,  “PPD-21 :  Extreme  Risk  Management  Gone  Bad,”  Forbes,  February  14,  2013, 
http://www  forbes.eom/sites/richardstiennon/2013/02/14/ppd-21 -extreme-risk-management-gone-bad/. 
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departments  and  ageneies  in  a  strategic  direction  to  improve  security  and  resilience  of  the 
nation’s 

C.  NIST  RESPONSE  TO  EO  REQUIREMENT  7 

After  a  year  of  hosting  a  series  of  workshops  and  revising  multiple  drafts,  NIST 
released  version  1.0  of  its  Cybersecurity  Framework  in  February  2014.  The  framework 
was  designed  to  be  a  cost-effective  cyber-risk  management  tool  allowing  organizations  to 
enhance  critical  infrastructure  resiliency  with  minimal  oversight  from  government 
agencies,  and  satisfied  requirement  seven  of  EO  13636.^9  framework  contains 
industry  standards  and  best  practices  for  managing  cybersecurity  risk,  including 
procedures  for  protecting  individual  privacy  and  civil  liberties  during  cybersecurity 
activities.^*’  NIST’s  framework  is  not  static;  it  is,  however,  a  living  and  breathing  risk 
management  tool — shaped  by  both  public  and  private  sectors.  Although  originally 
intended  for  owners  and  operators  of  Cl,  the  framework’s  application  extends  well 
beyond  Cl — aiding  any  corporation  (large  or  small)  in  any  industry,  in  identifying  cyber¬ 
risks  and  strengthening  networks.  While  critics  downplay  the  framework  for  its  flaws  and 
omissions,  government  agencies  and  businesses — small  and  large — are  beginning  to  find 
utility  in  the  framework. 

D,  DHS  RESPONSE  TO  EO  REQUIREMENT  8 

In  February  2014,  DHS  launched  C  VP  (commonly  referred  to  as  C-Cubed)  to 
increase  cybersecurity  resiliency  of  critical  infrastructure  and  to  encourage  use  of  the 
voluntary  Framework.  The  C  VP  program  was  designed  to  assist  SSAs  in  using  and 
implementing  the  Cybersecurity  Framework  and  satisfied  requirement  eight  of  EO 
13636.  The  program  is  available  in  an  unclassified,  open-source  forum  that  speaks  to  not 
only  government  and  private  agencies;  it  also  offers  academic,  small  business,  and  self- 

National  Infrastructure  Protection  Plan  (NIPP  2013):  Partnering  to  Enhance  Protection  and 
Resiliency,  U.S.  Department  of  Homeland  Security,  (Washington,  DC:  2009),  http://www.dhs.gov/sites/ 
default/files/publications/NIPP%202013_Partnering%20for%20Critical%20Infrastructure%20Security%20 
and%20Resilience_508_0.pdf 

Jennifer  Huergo,  “NIST  Releases  Cybersecurity  Framework  Version  1.0,”  NIST,  February  12, 

2014,  http://www  nist.gov/itFcsd/launch-cybersecurity-framework-021214.cfm. 

“Framework  for  Improving  Critical  Infrastructure  Cybersecurity:  Version  1.0.” 
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service  tools  aimed  at  educating  as  many  organizations  and  people  as  possible.  Although 
the  voluntary  program  is  still  in  its  early  stages,  the  primary  focus  for  this  first  phase  is  to 
provide  guidance  for  those  SSAs  currently  utilizing  the  Framework.  In  future  phases, 
DHS  plans  to  expand  the  scope  of  the  program  to  sectors  of  critical  infrastructure  willing 
to  adopt  the  Framework.^i  In  a  video  teleconference  at  the  Naval  Postgraduate  School  in 
Monterey,  CA,  Director  John  F.  Murphy,  DHS  Office  of  Cyber  and  Infrastructure 
Analysis  (OCIA),  felt  the  program  has  been  “beneficial”  and  “a  big  step  forward”  in 
building  relationships  between  the  private  sector  and  DHS. ^2 


“Critical  Infrastructure  Cyber  Community  Voluntary  Program.” 

^2  Critical  Infrastructure  for  Homeland  Security  (OS4621)  course  lecture  with  John  F.  Murphy  at  the 
Naval  Postgraduate  School,  May  28,  2014. 
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III.  PUBLIC-PRIVATE  PARTNERSHIPS  IN  CYBERSECURITY 


A,  INTRODUCTION 

DHS  describes  public-private  partnerships  as  conditions  in  which  government 
agencies  interact  with  private  companies;  these  relationships  are  unique  to  other 
government-private  associations  as  they  both  share  in  the  resources,  risks,  and  costs  of 
delivering  a  service  to  the  public. ^3  National  Council  for  Public-Private  Partnerships 

(NCPPP)  defines  public-private  partnerships  as: 

[A]  contractual  arrangement  between  a  public  agency  (federal,  state  or 
local)  and  a  private  sector  entity.  Through  this  agreement,  the  skills  and 
assets  of  each  sector  (public  and  private)  are  shared  in  delivering  a  service 
or  facility  for  the  use  of  the  general  public.  In  addition  to  the  sharing  of 
resources,  each  party  shares  in  the  risks  and  rewards  potential  in  the 
delivery  of  the  service  and/or  facility. 

As  previously  stated  in  the  literature  review,  the  concept  of  public-private 
partnerships  is  nothing  new  in  the  United  States.  PPPs  can  be  traced  back  to  the  Colonial 
era  in  which  the  creation  of  a  series  of  pharmaceutical  laboratories  led  to  government 
agencies  utilizing  private  businesses  to  not  only  advance  the  progress  of  science  but 
also  benefit  society. today’s  world  of  technology  dependence  and  necessity  for 
interconnectedness,  many  government  and  private  sector  entities  believe  that  a 
cybersecurity  information-sharing  alliance  between  the  government  agencies  and  private 
businesses  is  the  preeminent  course  of  action  to  defend  against  cyber-related  attacks.  This 
chapter  identifies  and  analyzes  both  factors  that  promote  and  challenge  the  establishment 
of  information-sharing  PPPs  to  defend  against  cyber-related  threats.  Identifying  these 
factors  not  only  provides  the  necessary  evidence  required  to  validate  the  three  hypotheses 
proposed  in  Chapter  I,  but  also  helps  identify  why  information-sharing  barriers  exist 
between  government  agencies  and  private  companies. 


Cellucci,  “Innovative  Public-Private  Partnerships,”  4. 

The  National  Council  for  Public-Private  Partnerships,  “Seven  Keys  to  Success:  Public-Private 
Partnerships  Defined,  accessed  January  3,  2015,  http://www  ncppp.org/ppp-basics/7-keys/. 

Cellucci,  “Innovative  Public-Private  Partnerships,”  4. 
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B,  FACTORS  PROMOTING  PPPS 

In  2002,  the  California  Management  Review  featured  an  artiele  that  called  into 
question  management’s  role  in  cybersecurity.  While  the  authors  argue  that  no 
organization  can  claim  to  enjoy  perfect  security,  they  do  offer  a  few  guidelines  for  those 
in  the  executive  level  of  companies  for  consideration  in  minimizing  risk  while 
implementing  a  well-balanced  and  organized  plan  to  combat  cyber- threats.  Despite  being 
over  a  decade  old,  these  findings  still  set  a  precedent  that  scholars  and  cyber  experts  have 
been  stressing  the  importance  of  PPPs  as  both  a  tool  and  strategy  to  help  combat 
cybersecurity  issues  between  the  public  and  private  sector  long  before  the  recent  surge  of 
cyber-attacks.*^  Although  the  report’s  focus  was  mainly  on  management’s  role  in 
encouraging  PPP  participation  to  enhance  cybersecurity,  several  benefits  for  utilizing 
PPPs  aimed  at  securing  vital  networks  of  Cl  were  identified.  Certain  costs  are  reduced 
when  private  companies  express  their  views  on  the  economic  consequences  of  poor 
information  security  and  when  they  agree  to  share  their  solutions  to  common  security 
problems  with  government  agencies.  This  not  only  establishes  a  reputation  between 
private  companies  and  government  clients,  it  also  improves  private-government  relations 
and  allows  both  sides  the  opportunity  to  gain  a  better  understanding  of  each  other’s 
priorities  and  goals.  Furthermore,  participation  in  PPPs  allows  managers  the  opportunity 
to  implement  shared  best  practices  and,  more  importantly,  a  voice  in  shaping  policy  in 
areas,  such  as  the  Freedom  of  Information  Act  (FOIA)  and  anti-trust  laws — policies  that 
play  a  major  role  in  public-private  sector  relations.*^ 

Globalization  and  a  rise  in  privatization  of  the  public  sector  have  resulted  in  many 
private  companies  assuming  responsibility  of  Critical  Infrastructure  Protection  (CIP). 
This  has  created  a  challenge  for  both  public  and  private  sectors  as  government  and 
private  markets  alone  have  become  increasingly  incapable  of  keeping  up  with  cyber 


Amitava  Dutta  and  McCrohan,  Kevin,  "Management's  Role  in  Information  Security  in  a  Cyber 
Economy,"  California  Management  Review  AS,  no.  1  (Fall,  2002):  67-87,  http ://searcli.proquest.com/ 
docview/215864793?accountid=12702. 

*7  Ibid.,  76. 
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threats  and  providing  security  for  the  majority  of  Cl  sectors. According  to  Myriam 
Dunn  Cavelty  and  Manuel  Suter,  Center  for  Security  Studies  (CSS)  in  Zurich, 
Switzerland,  cooperation  between  public  and  private  entities  in  charge  of  CIP  is  essential. 
Cavelty  adds  that  PPPs  “have  become  the  preferred  solution  in  the  field  of  CIP.”^^  They 
give  a  lot  of  credit  to  the  formation  of  sector-specific  ISACs  within  the  United  States — an 
answer  to  Clinton’s  Presidential  Decision  Directive  (PDD)  63.  Although  much  work  still 
lies  ahead  in  improving  how  ISACs  work  horizontally  (with  other  ISACs),  the  authors 
note  that  since  1999 — the  creation  of  the  Financial  Services  ISAC  (FS-ISAC) — ISACs 
have  been  performing  as  successful  examples  of  cybersecurity  information-sharing  PPPs. 
Furthermore,  many  foreign  governments  have  also  seen  success  in  creating  similar  PPPs 
that  enjoy  information-sharing  between  government  and  private  industry  designed  to 
protect  CI.^*’  Further  discussion  of  the  FS-ISAC,  including  its  contribution  to 
cybersecurity  information  sharing,  is  found  in  Chapter  IV.  While  Cavelty  and  Suter 
reiterate  the  utility  and  necessity  of  information-sharing  PPPs  outlined  in  President  Bill 
Clinton’s  Commission  on  Critical  Infrastructure  Protection  (PCCIP) — which,  among 
other  tasks,  called  for  the  integration  of  private  owners  and  operators  of  Cl  to  help  shape 
security  policy — the  majority  of  their  work  is  based  on  identifying  limitations  to  PPPs  of 
CIP;  therefore,  those  findings  are  discussed  in  the  next  section  (Challenges  and 
Limitations). 91 

Although  this  research  focuses  on  information-sharing  alliances  that  help  protect 
Cl  from  cyber  threats,  it  is  important  to  recognize  the  utility  of  PPPs  in  increasing 
resilience  during  and  after  natural  or  manmade  disasters — regardless  of  whether  those 
disasters  or  events  involve  the  use  of  cyber.  Several  benefits  of  PPPs  formed  to  protect  Cl 
during  times  of  disaster  and  recovery  can  be  valuable  in  combating  other  types  of  threats, 
such  as  cyber-attacks.  A  study  in  2009,  conducted  by  the  National  Incident  Management 

88  Myriam  Dunn  Cavelty  and  Suter,  Manuel,  “Publie-Private  Partnerships  are  no  Silver  Bullet:  An 
Expanded  Govemanee  model  for  Critieal  Infrastrueture  Proteetion,”  International  Journal  of  Critical 
Infrastructure  Protection  Vol.  4,  no.  2  (Mareh,  2009):  179,  doi:10.1016/j.ijep.2009.08.006. 

89  Ibid.,  180. 

90  Ibid.,  181. 

91  Ibid. 
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Systems  and  Advanced  Technologies  Institute,  identified  several  benefits  and  challenges 
in  using  PPPs  to  enhance  resiliency  during  post-disaster  response  and  recovery.  The 
authors  examine  how  resilience  and  PPPs  can  align  to  enhance  disaster  recovery  and,  in 
turn,  recommend  a  framework  that  incorporates  mutually  supporting  entities,  such  as 
PPPs,  local  communities,  and  critical  infrastructure  key  resources  (CI/KR).92  study 
found  that  PPPs  create  unique  opportunities  to  increase  resilience  during  the  response  and 
recovery  phases  by  enabling  decision  makers  the  ability  to  identify  and  focus  the 
capabilities  of  both  public  and  private  entities  where  they  are  best  needed.93  Other 
benefits  include  reducing  certain  limitations,  such  as  trust,  commonly  associated  with 
public-private  collaboration  by  establishing  guidelines  that  increase  transparency  and 
ensure  accountability  across  the  board.^^  Trust  between  government  and  private  firms 
wishing  to  share  information  about  cyber  threats  have  become  a  major  and  more  recent 
concern.  When  stressful  events  occur,  such  as  major  disaster  or  cyber-attacks,  trust 
between  both  public  and  private  sectors  is  paramount. 

The  most  prominent  benefits  of  establishing  PPPs  can  be  found  in  a  report 
published  by  DHS  in  the  summer  of  2010.  The  report  identified  three  major  benefits  in 
utilizing  PPPs  in  general:  First,  PPPs  increase  efficiency  in  completing  tasks  and 
requirements;  second,  they  significantly  reduce  taxpayer  spending;  third,  they  improve 
regulation  compliance  and  increase  service  quality.95  DHS  Chief  Commercialization 
Officer  Tom  Cellucci  believes  that  the  PPP  model  is  being  used  to  “make  positive 
changes  in  the  way  government  and  industry  can  work  together”  in  solving  homeland 
security  needs. While  the  report  does  not  focus  on  cybersecurity  specifically  and  bases 
its  findings  primarily  from  commercialized-based  PPPs,  it  does  produce  several 
worthwhile  benefits  for  policymakers  to  consider  in  fostering  PPPs  for  cybersecurity 

^2  Geoffrey  T.  Stewart,  Kolluru,  Ramesh,  and  Smith,  Mark,  "Leveraging  Publie-Private  Partnerships 
to  Improve  Community  Resilienee  in  Times  of  Disaster,"  International  Journal  of  Physical  Distribution  & 
Logistics  Management  39,  no.  5  (2009):  345,  http://seareh.proquest.eom/doeview/232592275?aeeountid= 
12702. 

93  Ibid.,  344. 

94  Ibid.,  346. 

93  Cellueei,  “Innovative  Publie-Private  Partnerships,”  4. 

96  Ibid.,  2. 
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information-sharing.  Citizens  (or  taxpayers)  benefit  from  better  protection  and  less 
taxation;  government  agencies  develop  a  better  understanding  of  private  sector  needs  and 
use  less  public  resources;  and  private  companies  become  better  positioned  to  support 
public  interests  with  its  capabilities,  ultimately  contributing  to  the  nation’s  security.  DHS 
contends  that  PPPs  produce  a  win-win-win  scenario  for  all  parties  involved.^^  Former 
DHS  Secretary  Michael  Chertoff  also  believes  that  PPPs  are  a  better  fit  than  simply 
allowing  the  government  to  prescribe  cybersecurity  policy  to  private  companies.  Chertoff 
believes  that  employing  PPPs  in  cybersecurity  would  allow  information  to  flow  in  both 
directions  with  the  government  offering  research  and  intelligence,  while  the  private  sector 
reciprocating  with  educating  government  agencies  on  data  mining  and  analysis  it 
collects.9^ 

Neustar — a  private  corporation  that  analyzes  real-time  data  within  the  Internet  and 
telecommunications  industries — praised  the  U.S.  government’s  effort  in  facilitating  the 
establishment  of  PPPs  to  meet  the  nation’s  challenges  in  cybersecurity.  At  a  recent  forum 
hosted  by  the  Bipartisan  Policy  Center  (BPC),  Neustar’s  Chief  Technology  Officer  Mark 
Bregman  commended  the  government’s  efforts  to  bring  both  public  and  private  sectors 
together  to  meet  cybersecurity  challenges  to  the  nation’s  economy  and  national  security. 
Neustar  is  a  member  of  the  Executive  Branch’s  National  Security  Telecommunications 
Advisory  Committee  (NSTAC)  and  the  Federal  Communications  Commission’s  (FCC) 
Communications,  Security,  Reliability  and  Interoperability  Council  (CSRIC) — PPPs  that 
work  together  to  address  cyber  threats. 

C.  CHALLENGES  AND  LIMITATIONS 

While  factors  that  promote  the  use  of  PPPs  in  cybersecurity  are  numerous,  there 
are  also  several  challenges  and  limitations  to  establishing  and  employing  them  to 
effectively  counter  cyber  threats.  Referring  back  to  the  findings  in  the  2002  California 
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Management  Review  that  foeused  on  management’s  role  in  eyberseeurity,  the  authors 
diseuss  the  existenee  of  hardships  in  forming  PPPs — even  over  a  deeade  ago.  Despite  the 
benefits  realized  from  information-sharing  PPPs,  eollaboration  between  two  divergent 
seetors  is  neither  an  easy  task — nor  does  it  oeeur  automatieally.ioo  Perhaps  the  primary 
eoneern  for  stakeholders  on  both  sides  has  been  the  ability  to  aehieve  and  maintain  trust 
between  private  seetor  eompanies  and  their  government  eounterparts.  Beyond  the 
obstaele  of  attaining  trust  lies  eooperation  between  both  parties,  whieh  requires  not  only 
support  from  an  appropriate  number  of  personnel  to  satisfy  requirements  but  also  an 
adequate  amount  of  funding  and  resourees  to  aeeomplish  agreed  upon  objeetives — the 
latter  being  the  most  diffieult  to  aehieve  due  to  shortages  felt  on  both  sides.  Furthermore, 
information-sharing  PPPs  need  prolieient  leaders  eapable  of  fusing  the  divergent  and 
sometimes  eonflieting  interests  and  eultures  of  both  government  ageneies  and  private 
eompanies.  101  The  report  also  lists  FOIA  as  another  prohibiting  faetor  to  information¬ 
sharing  between  the  government  and  the  private  seetor;  however,  sinee  2002  there  have 
been  several  bills  awaiting  eongressional  approval  that  allegedly  address  the  legal  issues 
of  private  seetor  eompanies  sharing  information  about  eyber  threats  to  the  government.  In 
his  statement  before  the  Committee  on  the  Judieiary  Senate,  former  Assistant  Seeretary 
for  Poliey  for  DHS,  Paul  Rosenzweig,  stated  that  the  proposed  exemptions  to  the  FOIA 
were  “both  wise  and  essential,”  further  expressing  that  “Current  law[s]  are,  at  best, 
ambiguous  (and  at  worst  prohibitory)  and  therefore  impedes  [sie]  the  ereating  and  sharing 
of  eyber  threat  and  vulnerability  information. ”102  He,  among  others,  believes  that  legal 
barriers  to  eyberseeurity  information-sharing  PPPs  are  a  primary  eoneern  of  the  majority 
of  private-seetor  stakeholders. 

Myriam  Dunn  Cavelty  and  Manuel  Suter’s  extensive  work  in  eyberseeurity  CIP 
also  revealed  several  limitations  in  establishing  and  maintaining  PPPs  aimed  at  proteeting 
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Cl.  103  First,  they  argue  that  the  traditional  PPP  term  is  not  applicable  in  the  field  of  CIP 
since  the  majority  of  existing  PPPs  are  project-based  (designed  to  create  efficiency) 
rather  than  time -based  (aimed  at  building  trust).  Information-sharing  between  two  diverse 
entities  can  only  occur  when  mutual  trust  has  been  established,  which  requires  a 
significant  amount  of  time.  Understanding  this  distinction,  according  to  Cavelty  and 
Suter,  is  necessary  when  thinking  about  PPPs  in  the  field  of  Second,  while  the 

private  sector  owns  and  operates  the  majority  of  the  nation’s  Cl,  it  is  also  increasingly 
finding  itself  in  charge  of  protecting  it.  Since  the  fundamental  duty  of  the  state  is 
protection  of  its  citizens,  delegating  the  task  of  security  to  the  private  sector  raises  some 
concerns  over  converging  interests.  While  both  public  and  private  sectors  share  in  the 
concern  of  disclosing  information — government  fears  of  unauthorized  recipients  gaining 
access  to  sensitive  information  and  private  sector  fears  of  government  security  leaks — 
their  interests  begin  to  diverge  with  the  private  sector  becoming  more  concerned  about 
business  continuity  than  resolving  state  concerns  over  security  issues.  Furthermore, 
because  the  majority  of  private  companies  conduct  their  business  abroad,  they  can  only 
moderately  enjoy  the  benefits  of  national  collaboration.  Third,  and  probably  the 
biggest  challenge  to  PPPs,  is  that  most  successful  information-sharing  exchanges  occur 
inside  much  smaller  circles,  in  which  public  and  private  agencies  already  enjoy  some 
familiarity  and  degree  of  trust  from  previous  relations.  The  underlying  issue  of 
information-sharing  between  public  and  private  businesses  is  that  in  order  to  achieve 
trust,  one  needs  collaboration;  however,  the  success  of  that  relationship  relies  heavily  on 
trust.  This  is  what  the  authors  refer  to  as,  the  “classic  assurance  problem”  or  ‘“chicken- 
and-egg’  paradox. ”10^  Cavelty  and  Suter  argue  that  forming  new  PPPs  that  share 
sensitive  information  is  more  difficult  because  it  requires  a  high  demand  of  mutual  trust 
and  are  most  likely  doomed  to  fail  in  larger  frameworks.!*’^ 
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In  2011,  former  DHS  Deputy  Seeretary  William  Lynn  III  also  believed  that  trust 
issues;  legislation  preventing  information  exchange;  fear  of  client  and  stakeholder 
criticism;  and  inter-govemment  agency  conflicts  were  some  of  the  top  challenges  facing 
the  public-private  sector  collaboration  in  the  cyber  domaind^s  A  major  limitation  to 
information-sharing  PPPs,  such  as  ISACs,  is  that  most  are  voluntary  in  nature;  in  other 
words,  they  can  only  share  information  they  receive.  While  the  U.S.  government 
facilitates  the  organization  of  ISACs  to  collect,  analyze,  and  disseminate  cyber  threat 
information,  problems  such  as  free-riding  often  result  from  inadequate  incentives. 
Furthermore,  not  all  ISACs  share  information  with  other  ISACs,  which  greatly  limits  the 
distribution  of  critical  threat  information  to  other  industries;  thus,  leaving  ISAC  databases 
unreliable  and  resulting  in  analysts  producing  incomplete  results. 

Manuel  Suter,  who  is  also  affiliated  with  the  International  Cyber  Center  at  George 
Mason  University,  held  a  cybersecurity  workshop  in  Zurich,  Switzerland,  in  the  summer 
of  2010  where  he  discussed  some  of  the  challenges  and  best  practices  of  cybersecurity 
PPPs  aimed  at  protecting  Cl,  and  how  to  best  manage  those  partnerships.  Some  of  the 
major  challenges  facing  cyber  PPPs  identified  include: 

•  Unclear  delineation  of  roles  and  responsibilities 

•  Lack  of  trust  between  partners 

•  Diverging  interests 

•  Misplaced  expectations! 

Suter  also  found  that  some  private  companies  that  become  frustrated  and  have 
backed  out  of  partnerships  due  specifically  to  the  unwillingness  of  government  actors  to 
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reasonably  cooperate.  He  concluded  that  while  PPPs  are  vital  in  satisfying  cybersecurity 
policies,  they  are  difficult  to  establish.^  His  findings  echo  a  lot  of  the  same  major 
challenges  to  PPPs  that  have  been  highlighted  throughout  this  chapter. 


D,  CYBERSECURITY  PPPS  IN  ACTION 

Perhaps  the  best  approach  for  analyzing  the  effectiveness  of  PPPs  is  to  examine  a 
few,  already-established,  partnerships  between  the  government  and  private  business 
aimed  at  combating  cyber-attacks  and  threats.  As  a  result  of  the  military’s  overwhelming 
task  of  protecting  cyberspace  against  intrusion,  U.S.  Cyber  Command  (USCYBERCOM) 
was  created  in  the  summer  of  2009  and  became  fully  operational  in  late  2010.  The 
consolidation  comprised  of  the  four  service  entities  in  charge  of  cyberwarfare  (U.S. 
Army,  Navy,  Air  Force,  and  Marine  Corps)  and  is  headed  by  one  appointed  service 
commander.  Admiral  Michael  S.  Rogers  (at  the  time  of  this  study).  112  One  of 
USCYBERCOMs  missions  is  to  partner  with  various  government  and  non-government 
entities  aimed  at  combating  cyber  threats,  according  to  Deputy  Defense  Secretary 
William  J.  Eynn  in  2010,  as  a  part  of  the  Pentagon’s  Cyberstrategy,  Eynn  stressed 
the  importance  of  USCYBERCOMs  partnership  with  DHS  and  private  enterprise  in 
exchanging  cyber-related  threat  information  and  managing  mutual  vulnerabilities.  “The 
effort  to  defend  the  United  States  will  only  succeed  if  it  is  coordinated  across  the 
government,  with  allies,  and  with  partners  in  the  commercial  sector,”  argued  Eynn.^"^ 

Another  PPP  of  interest  is  Enduring  Security  Framework — the  collaboration  of 
several  major  IT  and  defense  companies,  along  with  representatives  from  DHS,  ODNI 
(Office  of  the  Director  of  National  Intelligence),  and  DOD — ^was  launched  toward  the 
end  of  2008.11^  Top  executives  from  the  private  sector  are  granted  a  one-day  top  secret 
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clearance  and  meet  in  Washington,  DC,  two  to  three  times  a  year  to  discuss  current  cyber 
threats,  capabilities,  cyber  weapons,  and  share  in  cybersecurity  best  practices.  CEOs  are 
then  able  to  take  this  information  back  to  their  respective  companies  to  protect  their  own 
networks  against  the  latest  cyber-attacks. The  most  recent  meeting,  held  on  September 
14,  2014,  included  a  discussion  on  insider  threats,  DDoS,  and  destructive  malware. At 
the  time  of  his  report,  Lynn  stressed  the  need  for  other  agencies,  such  as  The  National 
Security  Agency  (NSA),  to  utilize  their  capabilities  outside  the  government  domain 
(.gov)  to  defend  against  critical  network  intrusions  and  cyber-attacks  in  commercialized 
domains  (.com).  “The  best-laid  plans  for  defending  military  networks  will  matter  little  if 
civilian  infrastructure. . .  is  not  secure,”  argued  Lynn.n* 

The  National  Cybersecurity  and  Communications  Integration  Center  (NCCIC)  is 
another  public  sector  effort  to  encourage  and  establish  cybersecurity  PPPs.  The  NCCIC 
works  with  18  separate  private-sector  industries  to  maintain  an  open  dialog  about 
cybersecurity  threats  and  offers  assistance  when  necessary;  Facebook  and  Twitter  were 
two  recent  examples,  Homeland  Security’s  National  Cyber  Security  Division  (NCSD) 
has  also  worked  with  private  groups  to  investigate  cyber-attacks,  such  as  the  Stuxnet 
worm — ^which  infected  several  critical  networks  in  the  countries  of  Iran  and  Indonesia — 
and  has  facilitated  cyber  exercises,  such  as  Cyber  Storm  III.  120  More  recent  examples  of 
private  firms  working  with  federal  agencies  to  combat  cyber  incidents  include  Microsoft 
and  a  government  CERT  team — ^whose  joint  efforts  were  responsible  for  dismantling  the 
Waledec  botnet  (a  virus  that  infected  Windows  users  worldwide);  the  NSA  also  assisted 
Google  with  an  investigation  into  the  Internet  giant’s  security  breach.121  These  are  just  a 
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few  cases  that  not  only  illustrate  the  advantages  of  public-private  collaboration,  but  also 
promote  the  use  of  PPPs  in  strengthening  cybersecurity  efforts. 

Between  2008  and  2011,  the  information-sharing  efforts  of  the  National  Cyber 
Forensics  and  Training  Alliance  (NCFTA)  resulted  in  hundreds  of  criminal  investigations 
and  prosecutions  in  cyber-related  crimes.  122  NCFTA — a  non-profit  corporation — is  the 
only  international  cross-sector  PPP  model  that  unites  over  500  subject  matter  experts 
(SME)  from  both  public  and  private  sectors  worldwide;  consisting  of  members  from  the 
FBI,  U.S.  Immigration  and  Customs  Enforcement  (ICE),  and  Postal  Inspection  Service 
that  collaborate  with  private  industry,  academia,  and  law  enforcement  to  thwart  cyber¬ 
attacks  and  threats.  Since  its  inception  in  2002,  the  coalition’s  focus  has  been  to  support 
the  timely  exchange  of  the  most  up-to-date  cyber  threats,  including  cyber-related  crimes 
that  occur  within  the  IT  and  finance  sectors,  among  others.  123 

A  more  recent  and  successful  PPP  model  comes  from  the  development  of  NIST’s 
Cybersecurity  Eramework  I.O  (discussed  in  Chapter  II).  After  a  year  of  hosting  a  series  of 
workshops  and  revising  multiple  drafts,  NIST  released  version  1.0  of  the  framework — a 
structured  roadmap  designed  to  improve  resiliency,  increase  computer  network  security, 
and  encourage  companies  to  discuss  and  evaluate  best  practices  for  managing 
cybersecurity  risk.  124  While  the  framework  was  initiated  by  the  White  House,  it  is  far 
from  any  government-regulated  standard.  NIST  “went  to  great  lengths  to  collect,  distill, 
and  incorporate  feedback  from  security  professionals,”  said  Wyatt  Kash  of 
InformationWeek}^^  He  praised  NIST  for  its  public-private  methodology  of  employing 
both  public  and  private  sector  stakeholders  into  a  PPP  to  develop  the  framework.  “The 
framework  has  cred,  as  its  recommendations  come  not  from  Washington  regulators,  but 
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from  industry  experts  who’ve  eombatted  cyberattacks,”  added  Kash.i26  NIST  executives 
state  that  their  intention  is  to  preserve  the  framework  as  a  “living  document,”  and  expects 
to  receive  continual  updates  and  improvements  “as  industry  provides  feedback  on 
implementation;”  further  claiming  that  “lessons  learned  will  be  integrated  into  future 
versions.”  127  From  April  2013  to  April  2014,  NIST  hosted  five  Framework  Workshops 
and  its  first  Private  Engineering  workshop  to  discuss  development,  solicit  questions,  and 
request  feedback  from  industry,  cybersecurity  experts,  and  government  agencies.  128 
NIST  recently  conducted  its  second  Privacy  Engineering  workshop  in  September  2014 
and  its  sixth  Eramework  Workshop  in  October — its  first  gathering  of  industry 
stakeholders,  academia,  and  the  government  since  the  framework’s  debut.  Stakeholders 
from  both  sides  assessed  industry  use  and  awareness  of  the  framework  and  addressed 
issues  identified  from  industry  feedback.  129  NIST  has  been  very  aggressive  in  making 
steady  improvements  to  the  framework  to  ensure  companies  can  adapt  to  evolving  cyber 
threats;  private  sector  owners  and  operators  of  Cl — the  framework’s  end-users — have 
been  the  key  component  in  providing  recommendations  to  shape  the  framework.  IBM 
Security  Advisor,  Diana  Kelley,  believes  the  “Eramework  can  bring  valuable  guidance  to 
all  industries  and  organizations  that  depend  on  IT  for  their  operations  because  it  brings  a 
common  language  and  model  to  the  process  of  managing  cybersecurity  risk.”i30  Despite 
the  framework’s  infancy,  it  has  made  headlines.  In  the  recent  Heartbleed  Saga — a  newly 
discovered  vulnerability  in  OpenSSE  (Secure  Socket  layer)  encryption  software — 
government  agencies  utilized  the  framework  throughout  the  entire  process  from 
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identifying  the  threat  to  reeoveryd^i  While  private  industry  and  government  ageneies 
seemed  to  laek  eornmon  syntax,  risk-management,  and  strueture  in  cyberseeurity,  NISTs 
Framework  seems  to  be  filling  that  void  and  adding  to  the  growing  list  of  sueeessful  PPPs 
in  eyberseeurity. 

E,  SUMMARY 

As  eeonomies,  government  ageneies,  businesses,  and  individuals  eontinue  to 
depend  on  the  advanees  of  teehnology  for  everything  from  banking  and  trading  to 
eommunieating  and  shopping,  eyber-attaeks  to  U.S.  eritieal  infrastrueture  and  national 
security  are  becoming  more  sophisticated  and  harder  to  defend.  Unfortunately,  this  desire 
and  need  for  interconnectedness  has  led  to  an  increasing  vulnerability  in  both  government 
and  private  sectors.  This  chapter  analyzed  factors  that  promote  and  challenge  the 
establishment  of  information-sharing  PPPs  to  help  defend  against  cyber-related  threats.  It 
also  discussed  current  cyberseeurity  PPPs  in  action — such  as  Enduring  Security 
Framework,  the  NCFTA,  and  the  development  of  NIST’s  Cyberseeurity  Framework  1.0. 
While  the  utility  of  PPPs  in  cyberseeurity  is  steadily  increasing,  several  challenges  still 
remain.  Three  common  barriers  are  lack  of  trust;  legal  concerns  protecting  private 
companies  from  litigation;  and  diverging  interests  and  missed  expectations  between 
government  and  private  companies.  The  conclusion  of  this  chapter  leads  us  to  the  major 
thesis  question:  if  there  are  so  many  successful  cases  and  incentives  in  utilizing  PPPs  to 
increase  security  and  efficiency  in  both  public  and  private  sectors,  then  why  is  there  an 
apparent  failure  of  government  and  private  sector  cooperation  in  cyberseeurity 
information-sharing?  The  following  case  study  will  address  this  problem  by  identifying 
the  current  issues  surrounding  this  dilemma  within  the  banking  and  finance  Cl  sector. 


131  Nicole  Blake  Johnson,  “The  Cyberseeurity  Framework's  Role  in  the  Heartbleed  Saga,” 
Fedtechmagazine,  July  3,  2014,  http://www.fedtechmagazine.eom/article/2014/07/cybersecurity- 
frameworks-role-heartbleed-saga. 


41 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


42 


IV.  CASE  STUDY:  INFORMATION  SHARING  WITHIN  THE 
BANKING  AND  FINANCE  SECTOR 

A,  INTRODUCTION 

This  chapter  assesses  the  current  challenges  faeing  the  establishment  of  PPPs  to 
advance  cyber  information  sharing  within  the  banking  and  finance  sector  of  U.S.  Critical 
Infrastructure.  For  the  purpose  of  this  researeh  (as  mentioned  earlier  in  Chapter  I),  the 
cyber-related  attacks  examined  in  this  thesis  are  those  involving  major  banks  and 
corporations  that  affect  the  U.S.  and  world  eeonomy;  personal  identity  theft  that  results  in 
either  potential  or  actual  financial  loss;  and  network  breaches  of  major  retail  eompanies 
apply  to  the  financial  Cl  sector.  While  cyber-related  incidents  involving  identity  theft  and 
breaches  of  major  retail  eompanies  also  fall  under  the  IT  seetor,  this  thesis  found  that  the 
majority  of  literature  and  evidenee  identifying  the  barriers  to  information-sharing 
between  public  and  private  entities  exists  within  the  banking  and  financial  sector. 

To  establish  the  neeessity  for  both  publie  and  private  sector  collaboration  in 
cybersecurity,  this  chapter  first  offers  a  brief  baekground  of  the  most  prominent  eyber- 
attacks  that  have  affected  the  finance  sector — including  threats  originating  from  China 
and  Iran,  and  the  recent  surge  in  identity  theft — to  help  establish  the  urgency  of  why  both 
public  and  private  agencies  need  to  establish  cybersecurity  information-sharing 
partnerships.  Seeond,  it  offers  a  brief  overview  of  the  FS-ISAC  and  its  contribution  to 
cybersecurity  information-sharing  between  the  publie  and  seetor.  Finally,  this  ehapter 
identifies  the  more  reeent  barriers  to  public-private  cooperation  in  cyberseeurity  to  help 
validate  the  three  hypotheses  introdueed  in  Chapter  I.  These  three  explanations  are 
validated  in  the  final  chapter. 

B,  BACKGROUND 

In  the  summer  of  2012,  the  Direetor  of  the  National  Seeurity  Ageney  (NSA), 
General  Keith  Alexander,  announced  that  eyber- attacks  on  U.S.  critical  infrastructure 
companies  had  increased  seventeen  times  between  2009  and  2011.  He  argued  that  attacks 
on  our  nation’s  critical  infrastructure  are  far  more  damaging  than  espionage  and  other 
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similar  computer  crimes.  “On  a  scale  of  1  to  10,”  according  to  Alexander,  “American 
preparedness  for  a  large-scale  cyber- attack  is  around  a  3.”  1^2  At  the  time  of  his  statement. 
Congress  was  in  the  process  of  passing  legislation  that  authorizes  government  agencies  to 
intervene  in  defending  the  networks  of  the  private  companies  that  operate  our  nation’s 

infrastructure.  133 

By  ignoring  multiple  DDoS  attacks  on  local  websites  only  weeks  prior  to  the 
Russian  troop  movement  into  South  Ossetia  in  August  2008,  the  Georgian  government 
allowed  its  cyber  infrastructure  to  be  shut  down.  134  Although  forbidden  by  the  Hague  (V) 
Conventions  of  1907,  the  Georgian  government  set  up  a  temporary  cyber-shop  in  three 
other  countries,  including  the  United  States,  in  order  to  counter  the  Russian  attack  and 
protect  its  cyber  infrastructure.! 33  U.S. -based  servers,  operated  by  TS  Host,  a  multi¬ 
million  dollar  company  that  provides  secure  servers  for  businesses,  provided  a  safe 
location  for  the  Georgian  government  to  re-launch  its  more  critical  websites;  however, 
neither  TS  Host  nor  the  Georgian  government  received  permission  to  do  so.  136  While  the 
United  States  has  authority  under  the  Hague  (V)  Conventions  of  1907to  remain  neutrali37 
during  a  cyber-war  carried  out  between  two  other  combatant  nations,  this  incident 
revealed  that  governments  have  minimal  oversight  on  countries  like  Georgia  that  seek  out 
private  companies,  seeded  in  U.S.  territory,  to  render  aid  during  a  crisis  like  the  Russian- 
Georgia  War.  138  Although  these  cyber-attacks  were  specifically  concentrated  on 
Georgia’s  government  and  economy,  it  validated  not  only  Russia’s  capability  to  conduct 

132  David  E.  Sanger  and  Schmitt,  Eric,  “Rise  is  Seen  in  Cyberattacks  Targeting  US  Infrastructure,” 
New  York  Times,  July  26,  2012,  http://www.nytimes.com/2012/07/27/us/cyberattacks-are -up-national- 
security-chief-says  html?_r=0. 

133  Michael  McCaul,  “Hardening  Our  Defenses  Against  Cyberwarfare,”  The  Wall  Street  Journal, 
March  5,  2013,  http://online.wsj.eom/news/articles/SB10001424127887324662404578336862508763  442. 

134  Stephen  W.  Korns  and  Joshua  E.  Kastenberg,  "Georgia's  Cyber  Left  Hook,"  Parameters  38,  no.  4 
(2009):  60.  Proquest  Research  Library  (198032208). 

135  Ibid.,  62. 

136  Ibid.,  67. 

132  For  further  information  on  cyber  neutrality  see,  Michael  N  Schmitt,  Tallinn  Manual  On  the 
International  Law  Applicable  to  Cyber  Warfare:  Prepared  By  the  International  Group  of  Experts  At  the 
Invitation  of  the  NATO  Cooperative  Cyber  Defence  Centre  of  Excellence  (New  York:  Cambridge 
University  Press,  2013):  248-255. 

138  Korns  and  Kastenberg,  "Georgia's  Cyber  Left  Hook,". 61-2. 
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such  attacks,  but  alsoits  will  to  utilize  cyber  warfare  offensively.  Today,  polieymakers 
faee  the  challenge  of  preventing  a  repeat  like  Georgia’s  demonstration  of  exploiting  U.S. 
eyber  assets  to  remain  aetive  during  war,  or  much  worse,  direetly  attaek  U.S.  banking  and 
finanee  CL  The  majority  of  cyber-related  attacks  on  U.S.  banking  and  finance  have 
originated  in  the  countries  of  China  and  Iran.  For  this  reason,  it  is  helpful  to  identify  and 
discuss  these  oceurrences  below  separately.  Additionally,  attacks  involving  identity  theft 
and  the  2014  surge  in  criminal  cyber  activity  are  also  discussed. 

1.  China 

In  January  2010,  a  group  of  hackers  from  China  infiltrated  Morgan  Stanley’s 
computer  network,  although  no  reports  indieate  the  extent  of  damage  caused  by  the 
network  breach.  Morgan  Stanley’s  cyber  seeurity  firm  was  responsible  for  leaking  the 
incident  to  the  public.  From  March  2010  until  April  2011,  twenty  separate  illegal  wire 
transfers  oceurred  between  several  U.S.  businesses  and  Chinese  trade  companies  due  to 
the  compromise  of  online  banking  eredentials.  Aeeording  to  the  FBI,  the  fraudulent 
transaetions  cost  an  estimated  $11  million  in  individual  losses — totaling  $20  million 
overall.  During  a  six-month  network  breaeh  that  began  in  October  2011,  a  hacker  from 
China  targeted  the  intelleetual  property  of  48  ehemical  and  defense  companies,  according 
to  the  virus-smashing  firm  Symantec.  In  December  2011,  hackers  from  China  penetrated 
the  U.S.  Chamber  of  Commerce  networks,  whieh  eontained  several  communications  on 
trade  policy  secrets  between  U.S.  companies.  Several  media  outlets  linked  the  People’s 
Liberation  Army  (PLA)  to  the  breach.  News  syndieates:  The  New  York  Times,  Wall  Street 
Journal,  Washington  Post,  and  Bloomberg  News  also  attributed  China  to  several  eyber- 
attaeks  in  January  2013.  What  was  most  potentially  damaging,  although  not  specific  to 
the  finance  and  IT  sectors,  was  the  breaeh  of  the  U.S.  Army  Corps  of  Engineers’  network 
in  May  2013,  in  whieh  Chinese  hackers  gained  direet  aeeess  to  the  inventory  and  data  of 
all  U.S.  dams.  139 


139  CSIS,  “Significant  Cyber  Events.” 
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2. 


Iran 


Iran  has  also  had  its  fair  share  of  credit  for  cyber-attacks  on  the  U.S.  financial 
infrastructure.  The  most  attributable  Iranian-linked  hacker  group  to  date  has  been  the 
Izzad-Din  al-Qassam  Cyber  Fighters,  which  is  also  known  for  its  ties  to  the  terrorist 
group  Hamas.  The  cyber-attacks  from  the  group  span  between  September  2012  and  June 
2013.  The  most  noteworthy  of  attacks  began  with  the  group’s  launch  of  Operation 
Ababil,  which  involved  a  series  of  continuous  Distributed  Denial  of  Service  (DDoS) 
attacks  aimed  at  the  websites  of  several  U.S.  financial  institutions  in  September  2012. 
One  month  later,  reports  indicated  that  six  major  U.S.  banks  fell  victim  to  DDoS  attacks. 
In  January  2013,  the  group  once  again  claimed  ownership  of  similar  DDoS  attacks  on  the 
iconic  financial  institution,  U.S.  Bank.  From  March  to  June  2013,  the  group  continued  to 
target  reputable  U.S.  financial  institutions  under  Operation  Ababil.  During  its  twenty-one 
month  cyber- wrath,  the  Cyber  Fighters  conducted  three  phases  of  DDoS  attacks.  Toward 
the  close  of  the  third  phase,  the  group  warned  of  a  fourth;  however,  since  that 
announcement,  the  group  has  been  unnervingly  silent.  140  xhis  has  likely  contributed  to 
increased  security  measures  taken  by  major  U.S.  financial  institutions  immediately 
following  the  group’s  announcement. Despite  the  ominous  silence  from  the  Izzad-Din 
al-Qassam  Cyber  Fighters,  other  anonymous  Iranian  hackers  have  emerged,  amassing 
their  efforts  to  attack  the  wide  spectrum  of  U.S.  critical  infrastructure.  1^2 

3,  Identity  Theft 

Identity  theft  is  a  major  and  more  recent  area  of  concern  in  the  cyber  world.  Gone 
are  the  days  when  simply  covering  up  an  ATM  pin  number,  shredding  bank  statements, 
or  even  encrypting  the  network  is  adequate  or  acceptable.  Criminals  today  are  more 
sophisticated  and  efficient — using  the  very  same  technology  we  use  and  enjoy  against  us 

Tracey  Kitten,  “DDoS:  Attackers  Announce  Phase  4,”  Bank  Info  Security,  Information  Security 
Media  Group,  July  23,  2013,  http://www.bankinfosecurity.com/ddos-attackers-announce-phase-4-a- 
5929/op-l. 

Matt  Egan,  “Banks  Deploy  Shields  to  Block  New  Wave  of  Cyber  Attacks,”  Fox  Business,  July  31, 
2013,  http://www  foxbusiness.com/technology/20 13/07/3 1/banks-deploy-shields-to-block-new-wave- 
cyber-attacks/. 

CSIS,  “Significant  Cyber  Events.” 
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to  steal  our  identities  and  livelihood  without  ever  knowing  us  or  even  leaving  their  living 
rooms.  One  cybereriminal  that  stands  out  is  Albert  Gonzalez  who,  up  until  the  more 
recent  Target  and  Sony  hacks,  pulled  off  the  largest  case  of  identity  theft  in  U.S.  history. 
Between  2006  and  2008,  Gonzalez  and  a  few  Russian  associates  allegedly  hacked  over 
130  million  credit  card  accounts  via  the  websites  of  five  major  retailers. 

In  December  2009,  a  group  of  hackers  from  China  infiltrated  the  networks  of 
search  engine  mogul  Google,  as  well  as  the  networks  of  some  30  other  companies. 
According  to  Google,  the  hackers  were  successful  in  collecting  valuable  data,  including 
gaming  access  to  Google’s  password  management  system  and  user  e-mail  accounts. 
Another  noteworthy  case  involving  the  tech  giant  Google  occurred  in  April  2011,  in 
which  Google  announced  that  the  Gmail  account  passwords  of  hundreds  of  distinguished 
individuals  had  been  compromised  by  hackers  in  China  using  phishing  scams.  The 
following  month,  hackers  infiltrated  the  popular  Sony  PlayStation  network  and  stole  the 
personal  information  of  over  80  million  clients — the  breach  cost  Sony  over  $170 
million — although  this  incident  has  been  overshadowed  by  the  more  recent  Sony 
computer  system  breach  and  shutdown  in  late  2014.1^4 

Similar  to  the  actions  of  Albert  Gonzalez  a  few  years  earlier,  a  group  of  hackers  in 
June  2011  managed  to  acquire  the  data  from  360,000  Citibank  credit  card  owners.  Two 
years  later,  the  FBI  charged  five  Ukrainian  and  Russian  hackers  with  possession  of  over 
160  million  credit  card  numbers,  resulting  in  a  loss  of  over  a  hundred  million  dollars. 
More  recently,  in  December  2013,  credit  and  debit  card  information  of  over  40  million 
shoppers  at  the  retail  giant  Target  were  stolen  and  sold  on  a  well-known  organized  crime 
forum  in  Eastern  Europe.  The  full  magnitude  of  this  breach  was  still  under 
investigation  at  the  time  of  this  research. 

Recent  high-profile  cyber  events,  such  as  Heartbleed,  Target’s  data  breach,  and 
Sony  Corp’s  hack,  among  several  others,  have  led  to  new  talks  within  other  Cl  sectors, 

Aly  Weisman,  “A  Timeline  of  the  Crazy  Events  in  the  Sony  Haeking  Seandal,”  Business  Insider, 
Deeember  9,  2014,  http://www.businessinsider.eom/sony-eyber-haek-timeline-2014-12. 

144  Ibid. 

145  CSIS,  “Signifieant  Cyber  Events.” 


47 


including  the  Information  Technology  (IT),  and  Communications  Sectors.  The  Federal 
Communications  Commission  (FCC)  recently  began  an  initiative  to  align  its 
cybersecurity  activities  with  NIST’s  Framework — calling  on  all  members  within  the 
industry  to  invest  in  innovation  and  professional  development.  FCC  Chairman  Tom 
Wheeler  stated  that  the  private  sector  will  lead  the  initiative,  but  be  government  backed, 
and  will  “identify  public  goals,  work  with  the  affected  stakeholders...  and  let  that 
experience  inform  whether  there  is  any  need  for  next  steps. ”1^6  Wheeler  believes  that 
aligning  efforts  with  the  framework  will  increase  situational  awareness,  minimize 
cybersecurity  risk,  and  improve  innovation  and  professional  development  within  the 
technology  and  communications  industry.  1^7  Increasing  attacks  on  critical  networks  that 
hold  personal  data  stresses  the  need  for  a  more  structured  approach  involving  both  public 
and  private  sector  collaboration. 

4,  2014  Surge  in  Cyber  Criminal  Activity 

While  the  previous  section  focused  on  cybersecurity  issues  between  the  years 
2006  and  2013,  the  recent  surge  of  cyber- attacks  on  networks  that  hold  personal  data  in 
2014  (during  the  writing  of  this  thesis)  cannot  be  overlooked;  thus,  they  are  noted  herein 
to  help  establish  the  importance  of  this  research.  A  recent  article  published  by  Forbes 
listed  the  top  20  major  data  breaches  of  2014  from  malware  designed  to  seize  debit  and 
credit  card  information  to  the  compromise  of  private  records,  including  social  security 
numbers. 148  Table  1  lists  the  top  ten  breaches  based  on  the  highest  number  of  people 
affected  and  the  most  potentially  damaging. 


146  Jameson  Dempsey,  Dawn  Damsehen,  and  Steve  Augustino,  “What  to  Wateh  For  With  the  FCC’s 
New  Cyberseeurity  Initiative,”  The  Telecom  Monitor,  June  27,  2014,  http://www.teleeomlawmonitor.eom/ 
2014/06/artieles/broadband/what-to-wateh-for-with-the-fees-new-eyberseeurity-initiative/. 

147  Ibid. 

148  Bill  Hardekopf,  “The  Big  Data  Breaehes  of  2014,”  Forbes,  January  13,  2015, 
http://www  forbes.eom/sites/moneybuilder/2015/01/13/the-big-data-breaehes-of-2014/. 
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Company/entity 

#  affected 

Data  compromised 

eBay 

233  mil 

Contact/login  info 

JP  Morgan  Chase 

76+  mil 

Private  records 

Home  Depot 

56  mil 

Debit/credit/e-mail 

Community  Health  Sys 

4.5  mil 

Private  records 

Michaels 

2.6  mil 

Debit/credit  info 

Staples 

1.16  mil 

Debit/credit  info 

Goodwill 

868,000 

Debit/credit  info 

Aaron  Brothers 

400,000 

Debit/credit  info 

Sally  Beauty 

280,000 

Debit/credit  info 

Sony 

62,000* 

SSNs/Private  records 

*Investigation  ongoing 

Table  1.  Major  Data  Breaches  of  20141^9 

C.  FS-ISAC 

The  Financial  Services  Information  Sharing  Analysis  Center  (FS-ISAC)  is  one  of 
several  threat  information  sharing  centers  that  provide  two-way  sharing  of  cybersecurity 
threats  between  private  owners  and  operators  of  Cl  and  government  agencies.  It  was 
established  in  1999  as  one  of  the  first  ISACs  created  in  response  to  Presidential  Decision 
Directive  63  (PDD-63),  which  was  later  superseded  by  Homeland  Security  Presidential 
Directive  7  (HSPD-7).  PDD-63  called  for  the  establishment  of  an  information-sharing 
hub  between  both  public  and  private  sectors  to  exchange  cybersecurity  threats, 
vulnerabilities,  risk  assessments,  and  best  practices  to  enhance  protection  U.S.  critical 
infrastructure.  As  mentioned  in  Chapter  III,  ISACs  have  been  performing  as  successful 
examples  of  cybersecurity  information-sharing  PPPs.i^i  Since  inception,  membership 

140  Data  retrieved  from  Hardekopf,  “The  Big  Data  Breaehes  of  2014.” 

150  Finaneial  Serviees  Information  Sharing  and  Analysis  Center,  “About  FS-ISAC,”  FS-ISAC  website, 
aeeessed  January  3,  2015,  https://www  fsisae.eom/about. 

151  Cavelty  and  Suter,  “Pubbe-Private  Partnerships,”  181. 
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within  the  FS-ISAC  has  grown  to  nearly  5,500  membersi^^ — not  only  within  the 
Amerieas,  but  globally.  In  2013,  the  IS  AC  expanded  its  partnership  to  partieipating 
eompanies  in  the  regions  of  Europe,  Middle  East,  and  Asia-Pacifie.i^^  FS-ISAC 
participation  is  recommended  by  the  following  government  agencies:  U.S.  Treasury,  U.S. 
Secret  Service,  DHS,  and  the  FSSCC.i^^ 

Beyond  facilitating  the  sharing  of  cyber  threat  information,  the  FS-ISAC  has 
supported  several  annual  cybersecurity  exercises  that  test  the  capabilities  of  financial 
institutions  to  respond  and  recover  from  cyber-attacks.  The  most  recent  exercise  was 
the  5th  Annual  Cyber  Attack  Against  Payment  Processes  Simulation  (CAPP)  held  in 
September  2014,  which  tested  nearly  1,000  participating  financial  institutions  (that  utilize 
payment  services)  to  respond  to  multiple  simulated  cyber-attacks  in  two  separate,  two- 
day  robust  cybersecurity  scenarios.  In  addition  to  the  invaluable  experience  gained, 
these  CAPP  exercises  are  offered  to  any  institution  that  utilizes  payment  services  at  no 
cost — allowing  small-to-medium  sized  companies  to  participate — which  ultimately 
expands  the  participation  potential  of  the  private  sector  in  information-sharing  PPPs. 

In  an  effort  to  address  both  public  and  private  sector  concerns  of  the  timely 
exchange  of  cyber-related  threat  information,  the  FS-ISAC  has  adopted  the  use  of  two 
new  (DHS  driven)  automated  sharing  initiatives  that  aim  to  speed  up  the  process  of 
collecting  and  disseminating  cyber-attack  data.  The  Structured  Threat  Information 
expression  (STIX)  and  Trusted  Automated  eXchange  of  Indicator  Information  (TAXII) 
programs — initiated  and  backed  by  DHS — were  designed  to  help  private  companies  and 
government  agencies  streamline  (at  no  cost)  their  methods  of  sharing  critical  cyber  threat 


1^2  Financial  Services  Information  Sharing  and  Analysis  Center,  “Affiliate  Program,”  FS-ISAC 
website,  accessed  January  3,  2015,  https://www.fsisac.com/partners/affiliate-programs. 

153  FS-ISAC,  “About  FS-ISAC.” 

154  Ibid. 

155  John  Ginovsky,  "Cyber  Threat."  American  Bankers  Association,  ABA  Banking  Journal  104,  no.  12 
(12,  2012):  27,  http://search.proquest.com/docview/1269722356?accountid=12702. 

156  Financial  Services  Information  Sharing  and  Analysis  Center,  “FS-ISAC  Cyber  Attack  (against) 
Payment  Processes  (CAPP)  Exercise,”  FS-ISAC  website,  accessed  January  10,  2015, 

https://www  fsisac.com/fs-isac-cyber-attack-against-payment-processes-capp-exercise. 
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information  automatically  versus  manually,  FS-ISAC’s  continual  effort  to  endorse 
programs  that  eneourage  information-sharing  within  the  banking  and  financial  industry; 
simplify  the  methods  in  whieh  information  is  shared;  and  more  importantly,  address  the 
coneerns  of  both  seetors,  sueh  as  the  lack  of  timely  exehange  of  threat  information,  only 
reinforces  the  value  and  necessity  for  private  firms  to  beeome  active  participants.  Despite 
sueh  efforts  to  spur  participation,  private  industry  is  still  finding  difficulty  in  contributing 
to  PPPs. 

D,  FINDINGS  AND  ANALYSIS 

In  an  environment  lacking  legislation  that  requires  companies  to  adopt  tighter 
eyberseeurity  measures,  a  current  evaluation  of  the  effeetiveness  of  information  sharing 
between  publie  and  private  sector  agencies  should:  first,  help  identify  barriers  to 
establishing  cybersecurity  PPPs;  and  second,  add  value  to  existing  knowledge  in 
eyberseeurity  issues  involving  the  compromise  of  U.S.  banking  and  finanee 
infrastrueture.  Reeent  testimony  from  eyberseeurity  and  industry  professionals  and  other 
empirieal  researeh  on  eyberseeurity  information-sharing  reveal  several  underlying  issues 
inhibiting  publie-private  cooperation. 

In  the  spring  of  2013,  the  National  Teleeommunications  and  Information 
Administration  (NTIA)  and  NIST  requested — under  direction  from  the  president — an 
evaluation  of  incentives  established  by  DHS  that  encourage  information  sharing  and 
adoption  of  NISTs  Framework  (still  in  development  at  the  time).  Among  the  many 
participants  was  the  Financial  Services  Sector  Coordinating  Council  (FSSCC)  for  Critical 
Infrastructure  Proteetion  and  Homeland  Security — established  in  2002  for  the  purpose  of 
coordinating  critical  infrastructure  protection  efforts  within  the  financial  sector,  In 
response  to  NTIA’s  inquiry,  the  FSSCC  identified  several  private  business  concerns  with 
private-public  collaboration  within  the  finaneial  seetor.  The  Financial  Services  Seetor 

157  Phyllis  Schneck,  “Hearing  on  Cyber  Seeurity:  Prepared  Testimony,”  U.S.  Senate  Committee  on 
Banking,  Housing,  and  Urban  Affairs,  Deeember  10,  2014,  http://www.banking.senate.gov/publie/ 
index. efm?FuseAetion=Files.View&FileStore_id=990G741-335b-49be-ad3a-a43475ae41b5. 

1^^  Finaneial  Serviees  Seetor  Coordinating  Couneil  for  Critieal  Infrastrueture  Proteetion  and 
Homeland  Seeurity,  “Our  Mission,”  FSSCC  website,  aeeessed  January  29,  2015,  http://www.fssee.org/ 
fs  see/ about/ default  .j  sp . 
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Coordinating  Council  (FSSCC)  argued  that  “issues  of  information  sharing,  misaligned 
ineentives,  eriminal  penalties  and  aeeess  to  government  resourees”  must  be  resolved  if 
finaneial  institutions  are  to  adopt  ineentives,  sueh  as  those  outlined  in  NISTs 
Framework — a  tool  designed  to  improve  and  eneourage  information  sharing  between 
both  publie  and  private  divisions  aeross  all  seetors  of  Cld^^ 

The  eouneil  found  it  ehallenging  to  offer  ineentives  to  private  owners  and 
operators  of  Cl  within  the  finaneial  seetor  to  adopt  the  framework  that  eneourages 
information-sharing  when  standards  and  requirements  are  uneleard®*’  The  finaneial  seetor 
is  already  subjeet  to  many  regulation  requirements,  sueh  as  federal  and  state  laws; 
ineluding  eyberseeurity  examination  standards  derived  from  the  Finaneial  Serviees 
Modernization  Aet  of  1999 — law  that  establishes  standards  for  businesses  within  the 
finanee  seetor,  sueh  as  brokerage  firms,  eommereial  banks,  and  insuranee  eompanies,  to 
eollaborate  with  one  another. Thus,  in  the  absenee  of  elear  guidelines  that  will  either 
beeome  additional  requirements  or  beeome  an  entirely  new  standard,  private  finaneial 
eompanies  will  eontinue  to  abide  by  existing  regulations,  whieh  eould  deter  many  private 
finaneial  firms  from  eollaborating  with  government  ageneies. 

Another  area  of  eoneern  identified  by  the  FSSCC  is  the  laek  of  timely  exehanges 
of  threat  information  between  both  publie  and  private  ageneies;  information  that  eould 
aid  in  ereating  adequate  proteetive  measures  against  malieious  online  aetivity.i^^  piyg 
years  after  the  GAO  reported  the  same  findings  (diseussed  in  Chapter  I:  Literature 
Review):  the  same  information-sharing  issues  appear  to  be  troubling  the  banking  and 
finanee  Cl  seetor.  The  FSSCC  also  eonveyed  private  seetor  eoneerns  about  the  balanee  of 
ineentives  and  disineentives  between  attaekers  and  defenders — laek  of  law  enforeement 


Charles  Blauner,  “Comments  on  Incentives  to  Adopt  Improved  Cybersecurity  Practices:  Notice  of 
Inquiry,”  National  Telecommunications  and  Information  Administration,  April  29,  2013,  2, 
http://www  ntia.doc.gov/files/ntia/fsscc_response_-_doc_noi.pdf 
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161  Also  known  as  the  Gramm-Leach-BIiley  Act;  Gmmm-Leach-Bliley  Act,  U.S.  Government 
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prosecuting  cyber-criminal  activity.  1^3  while  private  businesses  expect  state  and  federal 
law  enforcement  to  seek  out  and  prosecute  criminals,  issues  of  attribution  and  the  lack  of 
resources  to  investigate  cyber-crimes  make  it  almost  impossible  to  deter  cyber  criminals 
or  bring  them  to  justice;  furthermore,  banks  and  other  financial  institutions  usually 
sustain  losses  from  cyber-attacks,  such  as  data  theft  and  trade  secrets,  that  are  impossible 
to  recover.  jhe  imbalance  of  incentives  and  disincentives  between  private  financial 
firms  and  cyber  criminals — coupled  with  the  government’s  inability  to  protect  and 
prosecute — could  yet  be  another  deterrent  to  greater  private-public  collaboration. 

While  initial  concerns  of  violating  anti-trust  laws  and  the  FIOA  have  hindered  the 
establishment  of  cybersecurity  PPPs  in  earlier  years,  one  constant  barrier  has  continued  to 
be  trust  issues  between  the  public  and  private  sector.  While  the  majority  of  literature 
surrounding  cybersecurity  PPPs  identifies  a  lack  of  trust  across  all  sectors  of  Cl  as  the 
chief  concern  among  both  private  and  government  agencies,  the  banking  and  finance 
industry  has  begun  to  develop  and  experience  other  concerns.  In  his  testimony  before  the 
U.S.  Senate  Committee  on  Homeland  Security  and  Governmental  Affairs  in  March  2014, 
Steven  R.  Chabinsky  expressed  his  concerns  of  cybersecurity  partnerships  between  the 
public  and  private  sector.  Among  those  include:  non-disclosure  agreements  preventing 
private  businesses  from  sharing  threat  information  with  the  government;  arduous 
background  checks  for  private  firms  seeking  clearance  to  classified  threat  information 
from  the  government;  larger  companies  with  a  global  footprint  sharing  sensitive, 
government-provided  threat  information  with  other  security  firms  abroad;  U.S. 
government  agencies  sharing  newly  discovered  private  business  vulnerabilities  with  other 
foreign  law  enforcement  and  intelligence  agencies;  and  free-riding  companies  that 
participate  only  to  collect  threat  information  and  to  network  with  other  agencies  but 
contribute  minimally,  or  even  not  at  all.  165 
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Despite  an  inerease  in  information  flow  between  the  publie  and  private  seetor  in 
the  finanee  industry,  sueh  as  the  2009  eybererime  eollaboration  of  the  FBI,  FS-ISAC,  and 
National  Automated  Clearinghouse  Assoeiation  (NACHA) — a  reeent  PPP  effort  aimed  at 
ensuring  information  exehange  between  all  parties  oeeurs  in  a  timely  and  tailored 
manner — private  eompanies  have  expressed  their  eoneems  over  the  government’s 
uneoordinated  influx  of  bulky  and  sometimes  irrelevant  threat  information.  In  other 
words,  government  ageneies  are  simply  pushing  unfiltered  data  to  private  ageneies  that 
either  a)  eompanies  already  had  knowledge  of;  b)  was  irrelevant;  e)  without  speeifie 
requests  from  individual  elients.i^®  Chabinksy’s  testimony  serves  as  evidenee  that 
supports  what  the  GAO  found  5  years  earlier,  when  it  surveyed  five  separate  Cl  seetors 
(noted  in  Chapter  I).  Thus,  private  industry  eontinues  to  be  eoneemed  that  government 
ageneies  are  measuring  their  information-sharing  sueeesses  on  quantity  versus  quality, 
irrespeetive  to  the  aetual  utility  of  threat  information,  thus  serving  as  another  deterrent  for 
private-publie  eooperation. 

In  his  testimony  before  the  U.S.  Senate  Committee  on  Homeland  Seeurity  and 
Governmental  Affairs  in  Mareh  2014,  Steven  R.  Chabinsky  eehoed  what  the  FSSCC  had 
been  arguing  just  one  year  prior:  the  unbalaneed  eosts  between  attaekers  and 
defenders.  While  attaekers  eontinue  to  inereasingly  penetrate  banking  and  finaneial 
networks  at  a  low  and  sometimes  even  zero  eost,  defenders  (private  industry)  eontinue  to 
see  a  rise  in  eyberseeurity  eosts.  Private  eompanies  are  eoneemed  that  the  government  is 
ineffeetive  in  ehallenging  and  proseeuting  eyber-eriminal  aetivity.  The  reeent  alleged 
DDoS  attaeks  from  the  eountries  of  North  Korea  and  Iran  on  U.S.  finaneial  institutions 
are  an  example  of  how  the  government  has  left  network  seeurity  up  to  the  private 
seetor.  While  private  eompanies  eontinue  to  foeus  their  resourees  on  redueing 
vulnerabilities,  the  government  seems  to  remain  disengaged  in  providing  adequate 
proteetion,  thus  inereasing  seeurity  eosts  to  private  seetor  businesses. 
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In  May  2014,  the  New  York  Department  of  Financial  Services  (NYDFS)  issired 
its  Report  on  Cyhersecurity  in  the  Banking  Sector,  which  siuveyed  154  financial 
institirtions  on  the  statirs  of  then  cybersecmity  programs  and  participation  in  information- 
sharing  partnerships.  While  the  organization’s  report  focirsed  rnairrly  on  cmient 
cybersecirrity  programs  arrd  banters  within  its  own  organizations,  it  also  discovered, 
however,  that  participation  in  information-sharing  partnerships  of  small-  to  medhrm-sized 
fmarrcial  institirtions  (whose  assets  were  between  less  than  $1  billion  to  $10  billion)  was 
much  lower  than  then  larger  fmarrcial  associates  (whose  assets  were  greater  than  $10 
billion). Figme  2  illirstrates  the  NYDFS’s  findmgs. 
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Figine  2.  Financial  Institirtion  Participation  in  Information-sharing^^® 


The  report  noted  that  while  over  60%  of  larger  financial  institirtions  reported 
participating  in  information-sharmg  coalitions,  such  as  the  FS-ISAC,  fewer  than  25%  of 
smaller  corporations  were — due,  in  part,  to  limited  financial  resoiuces  despite  the  costs 
for  membership  in  ISACs  for  smaller  financial  institirtions  bemg  relatively  low  when 
compared  to  the  benefits  of  receiving  timely  physical  and  cyber  threat  information. 

Andrew  M.  Cuomo,  “Report  on  Cyber  Security  in  the  Banking  Sector,”  New  York  State 
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The  report  eoncludes  that  despite  a  reeent  inerease  of  private  financial  firms  willing  to 
share  threat  information  and  participate  in  ISACs,  there  are  numerous  others  that  remain 
on  the  fence  over  the  fear  of  exposing  any  weakness  to  the  public — or  worse,  to  their 

competitors.  1^2 

Another  challenge  to  private-public  information  sharing  is  found  within  the 
Information  Technology  (IT)  sector.  As  previously  noted  in  Chapter  I,  cybersecurity 
issues  within  the  FS  sector  oftentimes  fall  into  other  sectors,  such  as  the  IT  sector. 
Frequently,  the  lines  between  cybersecurity  information  sharing  within  the  IT  and  FS 
sectors  become  blurred,  such  as  a  network  breach  of  a  major  retailer  that  results  in 
financial  loss.  Thus,  it  is  important  to  include  evidence  within  the  IT  sector  in  this 
chapter.  One  of  those  challenges  is  the  difference  in  threat  perception  among  government 
and  private  industry,  despite  sharing  similar  interests.  In  a  2013  interview,  IT-ISAC 
Executive  Director  Scott  Algeier  shared  his  assessment  of  cybersecurity  information 
sharing  between  public-private  entities.  Algeier  did  not  believe  (at  the  time)  that 
information-sharing  was  where  it  needed  to  be:  despite  the  many  successes,  such  as 
establishing  a  baseline  risk  assessment  for  the  IT  sector,  which  concentrates  on  low 
probability-high  consequence  and  high  probability-low  consequence  cyber  events,  most 
of  these  successes  are  private  sector  centered  rather  than  joint  initiatives.  “We  have  a  lot 
of  individual  initiatives,  but  we  [do  not]  have  an  integrated  program,”  Algeier  argued.  1^3 
He  observed  that  one  of  the  primary  challenges  of  private -public  cyber  information¬ 
sharing  is  how  the  private  IT  industry  perceives  cyber  threats.  According  to  Algeier, 
government  agencies  view  cyber  threats  and  vulnerabilities  on  a  national  security  level, 
whereas  private  companies  are  primarily  concerned  about  how  those  cyber  threats  and 
vulnerabilities  affect  business.  “Industry  and  government  have  common  interests,  but  we 
look  at  the  threats  in  a  different  way,”  stated  Algeier.  1^4  Although  government  agencies 
continue  to  focus  on  worst-case  scenarios,  in  Algeier’ s  opinion  private  companies  are  not 
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convinced  these  seenarios  are  the  most  likelyd^^  Due  to  eontinual  ehanges  in  how  private 
industry  diseloses  threat  vulnerabilities,  sueh  as  disclosing  weaknesses  to  stakeholders 
and  customers  before  sharing  with  publie  ageneies,  information-sharing  hubs  like  the 
FS  and  IT-ISACs  eontinually  look  for  new  ways  to  improve  threat  information  sharing; 
for  example,  faeilitating  diseussion  about  cyber-attacks  that  companies  eurrently 
experienee.i^^ 

Further  ehallenges  to  private -publie  information-sharing  were  noted  in  a  reeent 
Senate  hearing  on  eybersecurity  before  the  U.S.  Senate  Committee  on  Banking,  Housing, 
and  Urban  Affairs.  In  Deeember  2014,  the  Director  of  Treasury’s  Offiee  of  Critical 
Infrastructure  Proteetion  and  Complianee  Poliey  (OCIP),  Brian  Peretti,  briefed  the  Senate 
on  the  eurrent  state  of  eyberseeurity  efforts  between  both  publie  and  private  seetors  and 
the  Department  of  Treasury’s  role  in  fostering  those  relationships.  While  he  identified 
several  reoeeurring  ehallenges,  sueh  as  deelassifying  threat  information  for  private  seetor 
use  and  inereasing  effieieney  in  the  information-sharing  proeess,  Peretti  noted  that  many 
private  sector  companies  are  still  apprehensive  in  sharing  threat  information  due  to  the 
laek  of  elear  legal  guidelines.  Some  government  ageneies  have  attempted  to  ease  those 
eoneerns.  The  Department  of  Justiee  (DOJ)  reeently  addressed  privacy  concerns  over 
sharing  threat  information  eontaining  eonsumer  information  in  a  white  paper  titled; 
Sharing  Cyberthreat  Information  Under  18  USC  §  2702(a)(3) The  DOJ  viewed  the 
Stored  Communieations  Aet  (SCA) — the  law  that  prohibits  sharing  eonsumer 
information — as  a  regulation  that  would  permit  private  eompanies  to  share  cyber-related 
threat  information  with  government  ageneies  so  long  as  the  data  is  eolleetive  in  nature 
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and  does  not  single  out  any  one  individual.  1^9  Despite  such  attempts  to  read  between  the 
legal  lines,  many  private  companies  are  still  reluctant  to  share  data  with  the  government 
due  to  fears  of  public  disclosure  (e.g.,  the  Snowden  revelations),  preventing  private 
companies  from  conducting  their  own  damage  control  and  finding  a  resolution  before 
public  exposure,  This  is  concerning  to  private  financial  firms  in  relation  to  exposure 
due  to  the  large  pool  of  government  actors  involved:  the  Federal  Trade  Commission 
(FTC),  Securities  and  Exchange  Commission  (SEC),  Department  of  Justice  (DOJ), 
National  Security  Agency  (NSA),  and  U.S.  CYBERCOM.i^i  Each  of  these  agencies  has 
a  unique  role  in  regulating  cybersecurity,  which  only  increases  the  probability  of  an 
unintentional  or  accidental  exposure.  1^2 

E,  SUMMARY 

Both  private  and  public  institutions  that  operate  within  the  finance  Cl  sector 
continue  to  depend  on  the  security  of  our  nation’s  financial  networks  for  trade  and 
communication.  Increasing  cyber-attacks  to  banks,  financial  institutions,  and  individuals 
from  criminals,  hactivists,  and  even  states — primarily  China  and  Iran — require  the  use  of 
information  sharing  PPPs  to  increase  security  and  efficiency  in  both  public  and  private 
networks,  and  help  close  the  gap  in  government  and  private  sector  cooperation.  Eor  15 
years,  the  ES-ISAC  has  continued  to  develop  ways  and  means  of  facilitating 
cybersecurity  information  sharing  between  government  agencies  and  private  companies; 
most  notably,  their  annual  CAPP  exercises  that  test  the  resiliency  of  private  companies  to 
respond  to  multiple  cyber-attacks,  and  endorsement  of  the  STIX  and  TAXII  programs 
designed  to  speed  up  the  information  sharing  process.  The  ESSCC  and  NIST  have  also 
made  notable  strides  in  fostering  the  creation  of  PPPs  to  enhance  cybersecurity 
information  sharing  within  the  financial  sector. 
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This  chapter  assessed  the  eurrent  ehallenges  faeing  the  establishment  of  PPPs  to 
advanee  eyber  information  sharing  within  the  finance  sector  of  critical  infrastructure. 
Those  eoneerns  inelude:  lack  of  trust,  lack  of  incentives,  and  timely  exchange  of  threat 
information;  differenees  in  threat  perception;  free-riding  institutions  that  only  eolleet 
rather  than  share  threat  information;  government  ageneies  pushing  useless,  unfiltered 
data;  limited  resourees  (assets)  for  smaller  eompanies;  and  fears  of  legal  and  reputation 
damages  due  to  publie  diselosure.  The  evidenee  found  in  this  ease  study  suggests  that 
there  are  several  other  explanations  beyond  the  original  three  hypotheses  proposed  in 
Chapter  I.  The  validation  of  the  original  three  and  the  additional  explanations  are 
discussed  in  the  next  chapter.  Despite  the  signifieant  hurdles  faeing  both  sides  in 
eollaborating,  the  reeent  surge  in  eyber-attacks  targeting  U.S.  eritieal  infrastrueture 
should  be  ineentive  enough  for  eompanies  to  get  onboard  with  the  PPP  eoneept.  It  is 
reasonable  to  argue,  based  on  evidenee  presented  in  this  ehapter,  that  the  efforts  from  the 
FS-ISAC,  IT-ISAC,  FSSCC,  and  NIST,  are  not  only  addressing  the  eoneerns  of  private 
eompanies  in  the  finanee  industry,  but  also  making  positive  strides  towards  breaking 
down  barriers  between  publie  and  private  information  sharing. 
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V.  CONCLUSION 


A,  SYNOPSIS 

Chapter  I  introduced  the  topic  of  cybersecurity  within  the  public-private  sector  to 
set  up  the  major  thesis  question:  Why  do  cybersecurity  information-sharing  problems 
exist  between  government  agencies  and  private  companies?  It  also  established  the 
importance  of  the  research;  explored  the  prevalent  literature  on  cybersecurity 
information-sharing  within  the  public  and  private  sector;  provided  three  potential 
hypotheses  that  best  explain  why  barriers  to  public  and  private  cooperation  in  cyber 
information-sharing  exist  today;  and  identified  the  banking  and  finance  Cl  sector  as  the 
most  promising  case  study  to  validate  the  three  explanations.  As  stated  in  Chapter  I,  the 
banking  and  finance  sector  has  not  only  experienced  a  significant  increase  in  cyber¬ 
attacks — to  include  identity  theft  and  breaches  of  major  retail  companies — but  also  has 
the  potential  to  suffer  the  most  catastrophic  damage  to  the  nation’s  security,  economy, 
and  way  of  life.  Thus,  this  thesis  recognized  the  finance  industry  as  the  most  prominent 
sector  in  which  to  examine  and  gather  new  evidence. 

Chapter  II  provided  a  background  of  the  more  recent  cyber-related  attacks  across 
various  sectors  of  Cl  to  further  establish  the  importance  and  urgency  of  cybersecurity 
information-sharing  between  the  public  and  private  sectors.  The  chapter  also  offered  a 
brief  description  of  the  most  recent  controversial  cybersecurity  policies  and  legislation 
dilemmas  relevant  to  this  research — including  CISA,  EO  13636,  PPD-21,  and  the  2013 
NIPP;  and  DHS  and  NIST’s  response  to  various  cybersecurity  requirements  ordered 
under  EO  13636 — such  as  NIST’s  Cybersecurity  Eramework  and  DHS’s  CWP  program. 

Chapter  III  introduced  the  concept  of  cybersecurity  public-private  partnerships 
(PPP)  and  identified  several  factors  that  promote,  challenge,  and  limit  the  establishment 
of,  and  agency  participation  in,  cybersecurity  information-sharing  partnerships  to  defend 
against  cyber-related  threats.  This  chapter  identified  and  discussed  current  cybersecurity 
PPPs  in  action — such  as  the  Enduring  Security  Eramework  (the  collaboration  of  several 
major  IT  and  defense  companies  that  meet  several  times  annually  to  discuss  current  cyber 
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threats  and  best  praetices);  the  National  Cyber  Forensics  and  Training  Alliance  (public- 
private  effort  that  supports  the  timely  exchange  of  up-to-date  cyber  threats  and  cyber- 
related  crimes  that  occur  within  sectors,  including  the  finance  sector);  and  the  major 
public-private  effort  that  went  into  developing  NIST’s  Cybersecurity  Framework  1.0. 
While  information-sharing  between  both  sectors  has  improved,  several  challenges,  such 
as  lack  of  trust,  legal  barriers,  and  failed  expectations,  continue  to  hinder  the  success  of 
PPPs  in  cybersecurity. 

Chapter  IV  explored  the  banking  and  financial  Cl  sector  to  identify  and  assess  the 
current  challenges  facing  the  establishment  of  PPPs  to  advance  cyber  information-sharing 
between  the  government  and  private  companies.  Lack  of  trust  and  incentives,  timely 
exchange  of  threat  information,  varying  threat  perceptions,  free-riding,  sharing  of  useless 
or  unfiltered  data,  limited  resources  for  smaller  businesses,  and  fears  of  legal  liability  and 
damage  to  company  image  were  the  common  themes  found  within  the  financial  sector 
that  continue  to  inhibit  the  success  of  information-sharing  PPPs.  This  evidence  not  only 
validates  the  three  hypotheses  introduced  in  Chapter  I,  it  also  reveals  several  other 
explanations  that  are  discussed  in  the  next  section. 

B.  HYPOTHESIS  TEST 

The  three  proposed  hypotheses  will  now  be  tested  based  on  evidence  provided  in 
Chapters  III  and  IV  in  an  effort  to  answer  the  major  research  question  of  why 
information-sharing  problems  exist  between  government  agencies  and  private  companies. 
While  this  evidence  helps  validate  the  three  explanations  introduced  in  Chapter  I,  it  also 
reveals  several  others;  thus,  those  additional  findings  are  provided  following  validation  of 
the  initial  three  hypotheses. 

1,  Hypothesis  One: 

Participation  in  PPPs  is  less  likely  to  occur  when  either  side  fails  to  share 

cyher-related  information  in  a  timely  and  accurate  manner. 

This  explanation  assumes  that  both  government  and  private  businesses  expect 
these  to  be  the  minimum  requirements  for  participation  in  a  cybersecurity  information- 
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sharing  alliance.  While  earlier  literature  (diseussed  in  Chapter  I)  was  used  to  arrive  at  this 
explanation,  evidenee  found  in  Chapter  IV  equally  supports  this  hypothesis. 


a.  Timely  Exchange  of  Threat  Information 

Despite  reeent  and  ongoing  efforts  of  PPPs,  sueh  as  FS-ISAC’s  automated  sharing 
initiatives,  STIX  and  TAXII;i^3  and  NCFTA’s  eybererime  network,!^^  ^  inerease  the 
timely  exehange  of  eyber-related  threat  information,  further  evidenee  found  in  Chapter 
IV  eorroborates  the  elaim  of  this  first  hypothesis.  One  example  is  the  FSSCC’s  finding 
that  both  publie  and  private  eompanies  within  the  banking  and  finance  seetor  laek  timely 
sharing  of  eyber-related  threat  information  that  eould  faeilitate  the  ereation  of  adequate 
proteetive  programs  against  malieious  online  aetivity.i^^  Another  example  is  found  in 
Steven  Chabinsky’s  testimony  that  despite  the  reeent  inerease  in  information  flow 
between  both  seetors  within  the  finanee  industry,  private  eompanies  eontinue  to  express 
eoneern  over  the  government’s  push  of  uneoordinated,  bulky,  irrelevant,  and  unsolieited 
threat  information.!^^  Private  firms  worry  that  the  government  is  more  eoncerned  about 
quantity  versus  quality  without  regard  to  the  aetual  utility  of  the  information  being 
shared.  Further  support  of  this  hypothesis  is  found  in  Manuel  Suter’s  eyberseeurity 
briefing — held  in  Zurieh,  Switzerland  in  2010 — in  whieh  he  identified  misplaeed 
expeetations  between  both  government  and  private  eompanies  as  one  of  several  major 
ehallenges  faeing  eyberseeurity  information  sharing  PPPs  aimed  at  proteeting  CI.!^^ 

2,  Hypothesis  Two 

Private  companies  feel  threatened  hy  cyhersecurity  regulations  and 
standards  that  increase  security  costs,  risk  the  loss  of  market  share,  and  lack 
incentives,  thus  decreasing  the  likelihood  of  PPP  participation. 
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This  hypothesis  assumes  that  eompanies  are  less  likely  to  share  eyber-related 
information  when  government  regulations  and  standards  ereate  at  least  one  of  the  three 
eonditions:  seeurity  eost  inerease;  risk  to  market  share;  and  laek  of  ineentives.  While 
earlier  evidenee  provided  in  the  literature  review  aided  in  producing  this  hypothesis, 
further  evidence  found  in  both  Chapters  III  and  IV  equally  supports  this  second 
explanation.  The  three  identified  conditions  in  this  hypothesis  are  discussed  below 
separately. 


a.  Security  Cost  Increase 

Both  Chabinsky  and  the  FSSCC  found  that  private  companies  are  concerned  with 
the  unbalanced  costs  between  attackers  and  defenders,  While  attackers  continue  to 
increasingly  penetrate  banking  and  financial  networks  at  a  low  and  sometimes  even  zero 
cost,  Chabinsky  argued  that  private  companies  continue  to  see  a  rise  in  cybersecurity 
costs.  For  example,  recent  DDoS  attacks  from  other  nation  states,  such  as  North  Korea 
and  Iran,  has  the  private  sector  worried  that  big  government  is  leaving  individual 
companies  on  their  own  to  defend  against  such  attacks. Private  companies  are  forced 
to  focus  their  resources  on  reducing  vulnerabilities  while  the  government  remains 
disengaged,  thus  increasing  security  costs  to  private  businesses. 

b.  Risk  to  Market  Share 

The  NYDFS’s  Report  on  Cybersecurity  in  the  Banking  Sector  found  that  despite 
the  recent  increase  of  private  financial  firms  willing  to  share  threat  information  and 
participate  in  information-sharing  PPPs,  such  as  the  FS-ISAC,  numerous  private 
companies  remain  reluctant  due  to  fears  of  exposing  weakness,  not  only  to  consumers  but 
also  to  other  competing  companies  within  the  finance  industry. Further  evidence 
suggests  that  many  private  companies  are  still  reluctant  to  share  data  with  the  government 
due  to  fears  of  public  disclosure,  such  as  the  recent  Edward  Snowden  revelations.  Public 
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leaks,  such  as  this,  prevent  individual  private  companies  from  conducting  damage  control 
and  establishing  resolution  prior  to  public  exposure,  thus  resulting  in  a  higher  risk  of 
market  share  loss  to  competitors.  1^2  Additionally,  the  risk  of  market  share  loss  due  to 
unintentional  or  accidental  exposure  increases  significantly  when  multiple  government 
agencies,  such  as  the  FTC,  SEC,  DOJ,  U.S.  CYBERCOM,  and  NSA,  become  involved  in 
regulating  cybersecurity,  further  preventing  private  companies  from  participating  in  PPPs 
that  share  cyber-threat  information.  1^3 

c.  Lack  of  Incentives 

While  ISACs  facilitate  the  collection,  evaluation,  and  dissemination  of  cyber 
threat  information,  problems  such  as  free  riding — companies  that  participate  only  to 
collect  threat  information  while  making  no  contribution — often  result  from  the  lack  of 
adequate  incentives. a  major  limitation  to  information-sharing  PPPs,  such  as  the  ES- 
ISAC,  is  that  most  are  voluntary  and  lack  the  necessary  incentives  to  encourage 
participation;  in  other  words,  information  shared  is  limited  to  information  received. 
Eurther  evidence,  provided  by  the  ESSCC,  suggests  that  private  companies  feel  that  a 
lack  of  criminal  penalties  and  limited  access  to  government  resources  must  be  resolved  if 
private  financial  institutions  are  to  adopt  incentives,  such  as  those  defined  in  NIST’s 
framework — designed  to  improve  and  encourage  information  sharing  between  both 
public  and  private  entities  across  all  sectors  of  The  ESSCC  also  found  that  offering 
incentives  to  private  owners  and  operators  within  the  financial  sector  to  adopt  the 
framework  is  a  major  challenge  when  standards  and  requirements  are  unclear.  1^2  Further 
discussion  of  NIST’s  Eramework  is  provided  in  Chapter  II.  The  ESSCC  also  argued  that 
the  balance  of  incentives  and  disincentives  between  attackers  and  defenders  also  concerns 
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private  companies.!^*  Private  businesses  expeet  law  enforeement  to  prosecute  cyber¬ 
criminal  activity;  however,  issues  of  attribution  and  lack  of  resources  to  investigate 
cyber-crimes  have  made  it  difficult  to  deter  cyber  criminals.  Furthermore,  financial 
institutions  have  sustained  unrecoverable  losses  from  cyber-attacks,  such  as  data  theft  and 
trade  secrets,  The  imbalance  of  incentives  and  disincentives  between  private  financial 
firms  and  cyber  criminals — coupled  with  the  government’s  inability  to  protect  and 
prosecute — continue  to  deter  private -public  collaboration. 

3.  Hypothesis  Three 

Small-  to  medium-sized  private  sector  companies  lack  the  necessary 

resources  to  participate  in  information-sharing  cyhersecurity  PPPs, 

While  the  evidence  presented  in  this  thesis  to  support  this  hypothesis  is 
significantly  less  than  the  first  two,  it  is  worth  noting  the  findings  provided  in  Chapter  IV 
that  help  support  this  claim. 

a.  Small-  to  Medium-Sized  Companies  Lack  Resources 

Despite  the  lack  of  substantial  evidence  on  small-to-medium  sized  financial 
companies’  ability  or  willingness  to  participate  in  cybersecurity  information-sharing 
PPPs,  the  NYDFS’s  Report  on  Cybersecurity  in  the  Banking  Sector  is  one  respectable 
source.  As  noted  in  Chapter  IV,  the  report  found  that  fewer  than  25%  of  smaller 
corporations  were  participating  in  information-sharing  partnerships,  such  as  the  FS- 
ISAC,  due  to  limited  financial  resources — despite  the  costs  for  membership  of  most 
ISACs  for  smaller  financial  institutions  (whose  assets  were  less  than  $1  billion)  being 
relatively  low  compared  to  the  benefits  of  receiving  timely  physical  and  cyber  threat 
information.200  Figure  2  in  Chapter  IV  illustrates  the  NYDFS’s  findings  and  compares 
smaller  companies  with  their  larger  associates.  It  is  also  worth  noting  that  while  recent 
cybersecurity  exercises,  such  as  the  FS-ISAC’s  annual  Cyber  Attack  Against  Payment 
Processes  Simulation  (CAPP),  have  attracted  many  small-  to  medium-sized  companies  to 
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participate  at  no  cost — potentially  expanding  participation  of  private  firms  in 
information-sharing  PPPs — this  thesis  found  no  evidence  or  data  to  support  this  claim .201 
Further  research  into  individual  financial  firms  could  reveal  additional  data,  which  was 
outside  the  scope  of  this  thesis. 

4.  Additional  Explanations 

In  addition  to  the  three  hypotheses  tested  above,  this  thesis  found  several  other 
common  and  credible  explanations  as  to  why  barriers  exist  between  government  agencies 
and  private  companies  within  the  financial  sector.  The  likely  barriers  identified  in  both 
Chapters  III  (Cybersecurity  PPPs)  and  IV  (Financial  Sector  Case  Study)  include; 

•  Lack  of  trust 

•  Fears  of  legal  and  reputation  damages  due  to  public  disclosure 

•  Diverging  interests,  such  as  differences  in  threat  perception 

•  Free-riding  due  to  volunteer  nature  of  information-sharing 

•  Limited  resources  for  smaller  companies 

Although  the  challenges  and  limitations  to  establishing  and  employing 
information-sharing  PPPs  to  effectively  counter  cyber  threats  are  numerous,  this  thesis 
found  these  to  be  the  most  prominent  concerns  among  public  and  private  sector  entities 
within  the  banking  and  financial  Cl  sector. 

C.  CONSIDERATIONS  FOR  FURTHER  RESEARCH 

While  this  thesis  explored  cybersecurity  issues  between  the  government  and 
private  sector  utilizing  only  published  information  (such  as  academic  journals, 
interviews,  opinion  pieces,  and  government  reports),  future  research  that  includes 
personal  interviews  with  Executives,  Information  Officers,  and  IT  specialists  of  major 
private  companies  could  reveal  additional  barriers  that  inhibit  public-private  cooperation. 
To  ensure  the  credibility  of  these  sources,  every  effort  should  be  made  to  avoid  source 
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anonymity.  Additionally,  while  this  thesis  foeused  exelusively  on  the  banking  and 
finanee  Cl  seetor,  future  researeh  eould  inelude  a  eross-sector  eomparison  among  other 
similar  Cl  seetors,  sueh  as  the  IT  and  eommunieations  seetor,  in  an  effort  to  identify  the 
similarities  and  differenees  of  how  eaeh  seetor  deals  with  information-sharing  problems. 
Similarly,  an  evaluation  of  how  the  several  different  ISACs  foster  information-sharing 
between  the  government  and  private  seetor  eompanies  eould  add  value  to  the  existing 
body  of  knowledge  on  eyberseeurity  issues  between  the  government  and  private  sector. 
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